On Thu, May 03, 2012, Tammany, Curtis wrote: > > It sounds like some clients have the correct intermediate certificate(s) > > installed and some do not. > > > > They should select the certificate, click the "view" button and see if the > > certificate path is complete (i.e. it says it is OK). > > On systems (XP and some Win7) where the user can access the site the cert > chain is short: > DoD Root CA2 -> DOD CA-24 -> Smith.John.1234567890 > > On the Windows 7 systems where the user CANNOT access the site, the cert > chain is long: > Common Policy -> SHA-1 Federal Root CA -> DoD Interoperability Root CA 1 -> > DoD Root CA2 -> DOD CA-24 -> Smith.John.1234567890 > > Users on those systems cannot access the site. If, however, I remove the > first three certs from their intermediate certification authorities list in > IE, the user can access the site. > > Is there something I can so on my servers so that it will tolerate the long > cert chain? > SSLVerifyDepth is currently set to 5. Increase to 6 or more? > Do I need to add Common Policy, SHA-1 Federal Root CA and DoD > Interoperability Root CA certs to my cert file on the server? >
The way OpenSSL verify works is to try and build as much of the pathc as possible from the peer and then try local storage, so you need "Common Policy" in your trusted store and increase the depth too. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
