Re: Wildcard certs

Thu, 21 Oct 1999 08:31:22 -0700 

On Thu, Oct 21, 1999, David Nugent wrote:

> I examined the mailing list archives and saw some related discussion, but
> no direct answer to the following questions. Apologies if this is a rehash
> of former discussion, but I could not find any which covers this specific
> question.
> 
> Last week, I was running apache 1.3.6 + mod_php 3.0.10 + mod_ssl 2.3.5. This
> config ran fine for MSIE 4.x+ and Netscape browsers. The certificate is a
> Thawte wildcard cert; ie. *.blaze.net.au.
> 
> Then I upgraded to apache 1.3.9 + mod_php 3.0.12 + mod_ssl 2.4.5. Suddenly
> both servers I use this wildcard certificate failed to work with any
> browser.
> 
> In addition to the startup warning I get about the certificate not matching
> the cannonical name of the current machine (which is different to the web
> server name, which is a CNAME in the DNS), I also see the following.
> 
> [Mon Oct 18 21:48:12 1999] [error] mod_ssl: SSL handshake failed (client
> 203.17.53.132, server accounts.blaze.net.au:443) (OpenSSL library error
> follows)
> [Mon Oct 18 21:48:12 1999] [error] OpenSSL: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in
> certificate not server name!?]
> 
> Now, I agree about the mismatch, but it appears that support for wildcard
> certificates has been completely withdrawn? I already realise the
> limitations
> of a wildcard CN, but this used to work fine, but now doesn't - with the
> same
> browsers.
> 
> Is there an easy solution other than forking out another AU$300 for two new
> certs?

Errr... all this CN mismatch stuff has actually nothing real to do with the
server and this way has not really anything to do with mod_ssl. At least we've
not changed anything related to the CN handling, except that the server
received a few additional warnings messages for the logfile if it detects some
inconsistencies. So I think you should check your certs and browser cert
caches instead.
                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to