[I had to be out of the office, sorry to be slow in following up] Thanks for the reply, Jose. Either I posed my question poorly or I don't understand your answer.
I have two servers running (they are on the same host (distinguished ports), the CN value in the certificate won't be an issue). One is Apache1+modssl-addon, the other is Apache2+modssl-builtin. Both are set up with a copy of our secure server certificate from Verisign (SSLCertificateFile), and the Verisign-provided intermediate certificate (SSLCertificateChainFile). (And of course both have the same SSLCertificateKeyFile). Now. When I point IE6 (or Opera) at either server, it recognizes the intermediate certificate, figures out that it knows who Verisign is (in its list of known CAs), and trusts our Verisign-issued server cert. If I point Netscape at the Apache1 version, it behaves in this way also. If I now point Netscape at the trial Apache2 setup, it claims that (as noted) the server cert was issued by an unrecognized CA. So .. the only way I can articulate this situation is .. that there is some difference in the way the mod_ssl addon for Apache 1 and the mod_ssl builtin for Apache 2 delivers intermediate certificate chain info, and that only Netscape seems to be sensitive to the difference. Jose Correia (J) wrote: > To my knowledge the Netscape behaviour is actually the normal one. If > the server certificate is not installed in their browser Trusted > certificate store (ot its higher parent) then there is no way its > going to recognize it as a trusted certificate. > > Regards > Jose > > > -----Original Message----- > From: J. B. Chambers [mailto:[EMAIL PROTECTED]] > Sent: 03 October 2002 17:41 > To: [EMAIL PROTECTED] > Subject: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2 > > > Hi. > > My production server is currently running > Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g > > and I'm test driving > Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g > > I have a secure server certificate from Verisign, and the intermediate > cert from > their website installed as the SSLCertificateChainFile. > > Things work fine on the production platform. On the test platform, > things work > fine using IE6 or Opera as the browser, and the certificate details > are okay on > inspection. > > However, Netscape 7 (and also Mozilla, BTW) returns the error > The certificate was issued by a certificate authority > that Netscape 7.0 does not recognize > which would seem to be a cert chain problem. Probing with openssl > s_client does > not suggest a server problem. You can, of course, just tell NS7 to > permanently > accept the cert and continue, but it's upsetting to some users to have > to do that. > > Info at mozilla.org suggests that, at least up til recently, there > have been > known SSL/TLS issues, but I don't see anything quite like this. > > Anyone with a similar experience/problem/solution? > > Thanks in advance. > John Chambers <[EMAIL PROTECTED]> > > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
