Christian, Christian Schulte wrote: > > Robert Relyea wrote: > > My guess is the certificate in question is a secondary CA signed by a > > primary. The problem is that gtoc.iss.net is probably misconfigured. It > > should send the secondary certificate with it's server certificate. > > Their misconfiguration is masked on IE because IE throughs every CA cert > > it finds into it's permament certificate store. > > > > Daniel Kluge wrote: > > > >> Hello there, > >> I was just visiting https://gtoc.iss.net/, which gives me an 'Unknown > >> Certificate Signer' or so error.
This is a problem with the https://gtoc.iss.net SSL server configuration. We see a lot of these misconfigured servers these days. That server does not transmit the full certificate chain, from leaf cert (SSL server cert with a subject of gtoc.iss.net) to the root Verisign cert, and the intermediate verisign certificate. Unlike IE, Netscape Communicator and Mozilla do not save the intermediate certificates into the database, in order not to grow the database indefinitely every time you visit a new SSL web site. Only the root certificates are kept persistently (and actually they are now in a PKCS#11 module). The SSL protocol specifies that the server must present its entire certificate chain to the client, but this server is not doing so, and therefore Mozilla cannot verify it. This not a mozilla bug. The solution is for the system administrator to correct the server configuration. -- "Except for the lack of debugging and the ps thing, [Linux] kernel threads are generally fine right now. And if you're not too fussed about the more fiddly details of POSIX threads, and your application doesn't spend most of its time in thread creation, then LinuxThreads is great too." Linux-Kernel archive
