RE: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2
Hi John Yeah, I just wanted to make sure that your chain file was setup correctly which it seems to be. Unfortunately I have only used Apache 1.3.x and I haven't used any chain certificates as yet (just used my own generated certificates). The only thing I can think of is to compare the CA details in the Netscape truststore to the details of the CA available on the Apache side (using openssl to view it), just to eleminate that possibility. Try joining the netscape security mailing list and see if you can get any info there?? Regards Jose -Original Message- From: J. B. Chambers [mailto:[EMAIL PROTECTED]] Sent: 10 October 2002 20:56 To: [EMAIL PROTECTED] Subject: Re: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2 [I had to be out of the office, sorry to be slow in following up] Thanks for the reply, Jose. Either I posed my question poorly or I don't understand your answer. I have two servers running (they are on the same host (distinguished ports), the CN value in the certificate won't be an issue). One is Apache1+modssl-addon, the other is Apache2+modssl-builtin. Both are set up with a copy of our secure server certificate from Verisign (SSLCertificateFile), and the Verisign-provided intermediate certificate (SSLCertificateChainFile). (And of course both have the same SSLCertificateKeyFile). Now. When I point IE6 (or Opera) at either server, it recognizes the intermediate certificate, figures out that it knows who Verisign is (in its list of known CAs), and trusts our Verisign-issued server cert. If I point Netscape at the Apache1 version, it behaves in this way also. If I now point Netscape at the trial Apache2 setup, it claims that (as noted) the server cert was issued by an unrecognized CA. So .. the only way I can articulate this situation is .. that there is some difference in the way the mod_ssl addon for Apache 1 and the mod_ssl builtin for Apache 2 delivers intermediate certificate chain info, and that only Netscape seems to be sensitive to the difference. Jose Correia (J) wrote: To my knowledge the Netscape behaviour is actually the normal one. If the server certificate is not installed in their browser Trusted certificate store (ot its higher parent) then there is no way its going to recognize it as a trusted certificate. Regards Jose -Original Message- From: J. B. Chambers [mailto:[EMAIL PROTECTED]] Sent: 03 October 2002 17:41 To: [EMAIL PROTECTED] Subject: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2 Hi. My production server is currently running Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g and I'm test driving Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g I have a secure server certificate from Verisign, and the intermediate cert from their website installed as the SSLCertificateChainFile. Things work fine on the production platform. On the test platform, things work fine using IE6 or Opera as the browser, and the certificate details are okay on inspection. However, Netscape 7 (and also Mozilla, BTW) returns the error The certificate was issued by a certificate authority that Netscape 7.0 does not recognize which would seem to be a cert chain problem. Probing with openssl s_client does not suggest a server problem. You can, of course, just tell NS7 to permanently accept the cert and continue, but it's upsetting to some users to have to do that. Info at mozilla.org suggests that, at least up til recently, there have been known SSL/TLS issues, but I don't see anything quite like this. Anyone with a similar experience/problem/solution? Thanks in advance. John Chambers [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2
[I had to be out of the office, sorry to be slow in following up] Thanks for the reply, Jose. Either I posed my question poorly or I don't understand your answer. I have two servers running (they are on the same host (distinguished ports), the CN value in the certificate won't be an issue). One is Apache1+modssl-addon, the other is Apache2+modssl-builtin. Both are set up with a copy of our secure server certificate from Verisign (SSLCertificateFile), and the Verisign-provided intermediate certificate (SSLCertificateChainFile). (And of course both have the same SSLCertificateKeyFile). Now. When I point IE6 (or Opera) at either server, it recognizes the intermediate certificate, figures out that it knows who Verisign is (in its list of known CAs), and trusts our Verisign-issued server cert. If I point Netscape at the Apache1 version, it behaves in this way also. If I now point Netscape at the trial Apache2 setup, it claims that (as noted) the server cert was issued by an unrecognized CA. So .. the only way I can articulate this situation is .. that there is some difference in the way the mod_ssl addon for Apache 1 and the mod_ssl builtin for Apache 2 delivers intermediate certificate chain info, and that only Netscape seems to be sensitive to the difference. Jose Correia (J) wrote: To my knowledge the Netscape behaviour is actually the normal one. If the server certificate is not installed in their browser Trusted certificate store (ot its higher parent) then there is no way its going to recognize it as a trusted certificate. Regards Jose -Original Message- From: J. B. Chambers [mailto:[EMAIL PROTECTED]] Sent: 03 October 2002 17:41 To: [EMAIL PROTECTED] Subject: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2 Hi. My production server is currently running Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g and I'm test driving Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g I have a secure server certificate from Verisign, and the intermediate cert from their website installed as the SSLCertificateChainFile. Things work fine on the production platform. On the test platform, things work fine using IE6 or Opera as the browser, and the certificate details are okay on inspection. However, Netscape 7 (and also Mozilla, BTW) returns the error The certificate was issued by a certificate authority that Netscape 7.0 does not recognize which would seem to be a cert chain problem. Probing with openssl s_client does not suggest a server problem. You can, of course, just tell NS7 to permanently accept the cert and continue, but it's upsetting to some users to have to do that. Info at mozilla.org suggests that, at least up til recently, there have been known SSL/TLS issues, but I don't see anything quite like this. Anyone with a similar experience/problem/solution? Thanks in advance. John Chambers [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2
To my knowledge the Netscape behaviour is actually the normal one. If the server certificate is not installed in their browser Trusted certificate store (ot its higher parent) then there is no way its going to recognize it as a trusted certificate. Regards Jose -Original Message- From: J. B. Chambers [mailto:[EMAIL PROTECTED]] Sent: 03 October 2002 17:41 To: [EMAIL PROTECTED] Subject: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2 Hi. My production server is currently running Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g and I'm test driving Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g I have a secure server certificate from Verisign, and the intermediate cert from their website installed as the SSLCertificateChainFile. Things work fine on the production platform. On the test platform, things work fine using IE6 or Opera as the browser, and the certificate details are okay on inspection. However, Netscape 7 (and also Mozilla, BTW) returns the error The certificate was issued by a certificate authority that Netscape 7.0 does not recognize which would seem to be a cert chain problem. Probing with openssl s_client does not suggest a server problem. You can, of course, just tell NS7 to permanently accept the cert and continue, but it's upsetting to some users to have to do that. Info at mozilla.org suggests that, at least up til recently, there have been known SSL/TLS issues, but I don't see anything quite like this. Anyone with a similar experience/problem/solution? Thanks in advance. John Chambers [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]