On 04/03/2014 11:19 AM, Thomas J. Hruska wrote:
> This works fine:
>
> http://opensslfoundation.org/
>
>
> This raises a certificate warning (Firefox):
>
> https://opensslfoundation.org/
>
> opensslfoundation.org uses an invalid security certificate. The
> certificate is not trusted because no issuer chain was provided. The
> certificate is only valid for the following names:
> www.opensslfoundation.com , opensslfoundation.net , wiki.openssl.org
> (Error code: sec_error_unknown_issuer)
>
>
> Switching to the .com variant, it also raises a certificate warning:
>
> www.opensslfoundation.com uses an invalid security certificate. The
> certificate is not trusted because no issuer chain was provided. (Error
> code: sec_error_unknown_issuer)
>
>
> Bad server configuration or is the problem on my end?
We're "squatting" on the opensslfoundation.org FQDN but don't use it in
preference to opensslfoundation.com which emphasizes the commercial
aspect of the OpenSSL Software Foundation (OSF).
The issuer of the server cert is a self-signed root. That was done
deliberately so as to not implicitly endorse any of the commercial CAs
that have their certs preloaded in browser keystores. So the Firefox
"issuer is unknown" warning is expected. If it makes you actually think
about the authenticity of the server so much the better, it's not like
the pre-load keystores constitute a very exclusive club.
The "opensslfoundation.com" name should be in the cert. I'll put it on
my list...
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
