Actually, in addition to the last link I gave, http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/31fe9768dcb00b2c/7fab610c48b40a9c?#7fab610c48b40a9c has a link to the entire thread (which includes a couple more questions and answers).
http://is.gd/n9o4 is a short redirect to that URL. -Kyle H On Thu, Mar 12, 2009 at 7:31 PM, Rene Hollan <rene.hol...@watchguard.com> wrote: > Great, just great. > > My changes worked for IE, but not for Firefox. > > Apparently, Firefox does more stringent checking that IE, and indeed, > than OpenSSL s_client ... (which gives a nice cert chain). > > > -----Original Message----- > From: Rene Hollan > Sent: Thursday, March 12, 2009 6:34 PM > To: 'openssl-users@openssl.org' > Subject: RE: Can't recognize intermediate CA > > Sigh. > > Well, I added the intermediate CA to the cert chain sent by my proxy > (and verified this with wireshark). > > OpenSSL s_client -CAfile cacert.pem -host login.yahoo.com -port 443 > works and shows the trust chain. > > But, Firefox, with cacert.pem loaded into it's trust store still > complains. :-( > > > > -----Original Message----- > From: Rene Hollan > Sent: Thursday, March 12, 2009 5:39 PM > To: 'openssl-users@openssl.org' > Subject: RE: Can't recognize intermediate CA > > Yup. That fixed it.. At least as far as openssl verify -CAfile > cacert.pem -untrusted intcert2.pem yahoo-x.pem goes. > > Oddly, firefox still rejects the end cert, even though both cacert.pem > and intcert2.pem are in it's trust store. Is it possible that browsers > actually ignore intermediate CA certs in their trust store and expect > servers to provide them? That's the next thing for me to try (if only I > can remember how to do that with openssl... :-)). > > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson > Sent: Thursday, March 12, 2009 4:23 PM > To: openssl-users@openssl.org > Subject: Re: Can't recognize intermediate CA > > > If it's any consolation you aren't alone with that, it gets commented on > quite often so much so in fact that it has an FAQ entry: > > http://www.openssl.org/support/faq.html#USER15 > > You can just leave out the issuer+serial number combination from AKID > too. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL > project core developer and freelance consultant. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
