In my quest to get my Verisign Cert working with modssl / apache I've now
sorted several problems, which I thought I would post for posterity.
Because I'm an ssl newbie I went down several false routes due to ignorance.
Therefore some of these things might be obvious to many. Indeed points 1)
and 2) are already described elsewhere. However, perhaps others would find
this info useful. Point (3) shuld probably be in the mod_ssl FAQ.
I might still have the wrong end of the stick about a lot of this - please
correct me if I'm wrong.
1) Understanding Verisign Global IDs
(I couldn't find a succint explanation of Chain Files for a long time.
There's acually an OK one on the modssl.org website but for some reason it
didn't make sense to me for a while)
Versign call their 128-bit certs 'Global IDs'. These come in two parts: a
'Server Subscriber Certificate', and an 'Intermediate CA Certificate' (aka
Certificate Chain File).
The 'Server Subscriber Certificate' is your own cert, and you should point
the SSLCertificateFile directive at it.
The Intermediate CA Certificate is needed because of the US export
restrictions on strong encrpytion. Until the end of 1999 there were no
'export' (e.g. European) browsers that could do 128-bit certificates.
Therefore, export browsers built before Jan 2000 (NS 4.72 and before, IE
5.01 and before) do not trust Verisign 128-bit keys.
These days international users presented with 128-bit certs *can* use them.
However, they get a warning saying the CA is not trusted. In order to get
around this, a certificate chain is used. By my understanding, this
basically means that CA 1 signs my key; the cert by CA 1 is not trusted, so
their key is in turn signed by CA 2, who are trusted. By following the
chain, my browser knows it can trust the CA who signed my key.
You should point SSLCertificateChainFile at your Server Subscriber
Certificate. You can also point SSLCACertificateFile at it. However, the
latter directive is intended for authenticating clients rather than other
CAs, so you might as well use the former (I think?!).
2) Why isn't mod_ssl working on Solaris?
Some of the openssl library calls look to /dev/random for seeding the random
number generator. If they can't find it, they end up by looking to
$HOME/.rnd or $RANDFILE for random data. Furthermore, openssl 0.9.5 and
above refuse to continue if they can't get 128 bits of entropy from this
data. So fill up $RANDFILE with some line noise. See
http://www.openssl.org/support/faq.html for more details.
3) Why can't I view my site using IE5.x?
There are two irritating bugs in IE5's implementation of SSL not mentioned
on the mod_ssl website. One is that you can't use IP addresses - you must
use the FQDN to access the site. The other bug affects non-128-bit versions
of IE 5.01, which basically don't work at all. If you force SSLProtocol All
-SSLv3 it works in IE5.01 but breaks other browsers. See:
http://support.microsoft.com/support/kb/articles/Q244/3/02.ASP
http://support.microsoft.com/support/kb/articles/Q247/3/67.ASP
http://www.microsoft.com/windows/ie/security/schannel.asp
N.B. I can see some GID sites using my copy of 5.01 / 56 bit. Whether this
is a server-side workaround or something else I don't know. Any clues?
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
