Re: Can APR use verisign certs ?
robert lazarski wrote: Hi all, I'm using apr 1.1.3 with tomcat 5.5.18 and openssl . During my research I noticed that self-signed certs seem to work , but I'm in doubt if pay type $$$ certs from verisign will work. We've submitted our csr to verisign , and if I understand correctly we need to use the crt from versign with apr / tomcat / ssl . Can anyone shed some light on this ? The sole distinction between self-signed and verifed certificates is client dependent only. If the server certificate is not signed by the one the web browser trusts it will give you the message box with that notice. So if your self-signed works, the verisign-signed will work as well. Its completely irrelevant to OpenSSL. Regards, Mladen. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
On 1/9/07, Mladen Turk <[EMAIL PROTECTED]> wrote: robert lazarski wrote: > Hi all, > > I'm using apr 1.1.3 with tomcat 5.5.18 and openssl . During my > research I noticed that self-signed certs seem to work , but I'm in > doubt if pay type $$$ certs from verisign will work. We've submitted > our csr to verisign , and if I understand correctly we need to use the > crt from versign with apr / tomcat / ssl . Can anyone shed some light > on this ? > The sole distinction between self-signed and verifed certificates is client dependent only. If the server certificate is not signed by the one the web browser trusts it will give you the message box with that notice. So if your self-signed works, the verisign-signed will work as well. Its completely irrelevant to OpenSSL. That makes sense. However, on the client side I'm getting a "There's a problem with the sites security certificate." That's in IE6 , on firefox I get a similair popup . We have registered the csr with verisign. Is this solely a client side and verisign issue. Any clues ? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can APR use verisign certs ?
> From: robert lazarski [mailto:[EMAIL PROTECTED] > However, on the client side I'm getting a "There's a > problem with the sites security certificate." That's in IE6 , on > firefox I get a similair popup . We have registered the csr with > verisign. Is this solely a client side and verisign issue. Any clues ? Exactly what error is being given? The three parts of the IE6 message are: - The cert isn't signed by a trusted root; - The cert isn't within its date range (too early or too late); - The cert is for a different host than the one the browser thinks it's contacting (this is often due to a typo in the CSR, or due to hosting multiple sites on the same box). Which of these is IE complaining about? - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
On 1/9/07, Peter Crowther <[EMAIL PROTECTED]> wrote: > From: robert lazarski [mailto:[EMAIL PROTECTED] > However, on the client side I'm getting a "There's a > problem with the sites security certificate." That's in IE6 , on > firefox I get a similair popup . We have registered the csr with > verisign. Is this solely a client side and verisign issue. Any clues ? Exactly what error is being given? The three parts of the IE6 message are: - The cert isn't signed by a trusted root; - The cert isn't within its date range (too early or too late); - The cert is for a different host than the one the browser thinks it's contacting (this is often due to a typo in the CSR, or due to hosting multiple sites on the same box). Which of these is IE complaining about? - Peter It says: 1) Cert is from a valid authority (good) 2) The ceritificate has expired or is not yet valid 3) The name on the certificate is invalid or does not match the name of the site. When I clicked to view the cert it says number 2 . Looking at the cert it does say verisign in the expected places. Thanks for asking me that - I gave it a better look. Suppose I need to ask verisign ;-) . Thanks! Robert - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
On 1/9/07, robert lazarski <[EMAIL PROTECTED]> wrote: On 1/9/07, Peter Crowther <[EMAIL PROTECTED]> wrote: > > From: robert lazarski [mailto:[EMAIL PROTECTED] > > However, on the client side I'm getting a "There's a > > problem with the sites security certificate." That's in IE6 , on > > firefox I get a similair popup . We have registered the csr with > > verisign. Is this solely a client side and verisign issue. Any clues ? > > Exactly what error is being given? The three parts of the IE6 message > are: > > - The cert isn't signed by a trusted root; > - The cert isn't within its date range (too early or too late); > - The cert is for a different host than the one the browser thinks it's > contacting (this is often due to a typo in the CSR, or due to hosting > multiple sites on the same box). > > Which of these is IE complaining about? > > - Peter It says: 1) Cert is from a valid authority (good) 2) The ceritificate has expired or is not yet valid 3) The name on the certificate is invalid or does not match the name of the site. When I clicked to view the cert it says number 2 . Looking at the cert it does say verisign in the expected places. Thanks for asking me that - I gave it a better look. Suppose I need to ask verisign ;-) . Thanks! Robert Actually I just looked further and the valid dates are from Jan 7 2007 to Java 8 2008 . That's really odd . I'm running IE6 via wine / linux , and the date on my machine is ok. Firefox 2.0 seemingly doesn't giver the reason . Any clues before asking verisign ? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can APR use verisign certs ?
> From: robert lazarski [mailto:[EMAIL PROTECTED] > It says: > > 1) Cert is from a valid authority (good) OK. > 2) The ceritificate has expired or is not yet valid OK. Get the certificate details (which you can do within IE6); you can see the issue date and expiry date. My guess is that it may not yet be valid. > 3) The name on the certificate is invalid or does not match the name > of the site. Is this happening *as well*, or is it just a date issue? - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can APR use verisign certs ?
> From: robert lazarski [mailto:[EMAIL PROTECTED] > Any clues before asking verisign ? Can you tell us (or me privately) the address of the site if it's Internet-accessible? I can then connect and have a look at the cert and the surrounding environment. If we can see the problem, we'll be able to help more easily! - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
On 1/9/07, Peter Crowther <[EMAIL PROTECTED]> wrote: > From: robert lazarski [mailto:[EMAIL PROTECTED] > Any clues before asking verisign ? Can you tell us (or me privately) the address of the site if it's Internet-accessible? I can then connect and have a look at the cert and the surrounding environment. If we can see the problem, we'll be able to help more easily! - Peter Very kool of you to offer! http://alpha-web01.alphatheory.com/atdev/ Robert - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can APR use verisign certs ?
> From: robert lazarski [mailto:[EMAIL PROTECTED] > http://alpha-web01.alphatheory.com/atdev/ The cert's issued to dpt.alphatheory.com; you're testing connections to alpha-web01.alphatheory.com. Any sensible browser will scream at that difference. If they didn't, crackers would be able to get a cert for www.somesillyname.com, install it on a spare server, poison the DNS for www.amazon.com and the browsers wouldn't scream as they were redirected. You will get errors from every browser with that cert unless/until they connect to https://dpt.alphatheory.com. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
On 1/9/07, Peter Crowther <[EMAIL PROTECTED]> wrote: > From: robert lazarski [mailto:[EMAIL PROTECTED] > http://alpha-web01.alphatheory.com/atdev/ The cert's issued to dpt.alphatheory.com; you're testing connections to alpha-web01.alphatheory.com. Any sensible browser will scream at that difference. If they didn't, crackers would be able to get a cert for www.somesillyname.com, install it on a spare server, poison the DNS for www.amazon.com and the browsers wouldn't scream as they were redirected. You will get errors from every browser with that cert unless/until they connect to https://dpt.alphatheory.com. - Peter Thanks a bunch for the explanation and your time! Robert - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
robert lazarski wrote: On 1/9/07, Peter Crowther <[EMAIL PROTECTED]> wrote: > From: robert lazarski [mailto:[EMAIL PROTECTED] > Any clues before asking verisign ? Can you tell us (or me privately) the address of the site if it's Internet-accessible? I can then connect and have a look at the cert and the surrounding environment. If we can see the problem, we'll be able to help more easily! - Peter Very kool of you to offer! http://alpha-web01.alphatheory.com/atdev/ You have signed server certificate for dpt.alphatheory.com not for alpha-web01.alphatheory.com Of course that any browser will issue an warning. Regards, Mladen - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
On 1/9/07, Peter Crowther <[EMAIL PROTECTED]> wrote: > From: robert lazarski [mailto:[EMAIL PROTECTED] > http://alpha-web01.alphatheory.com/atdev/ The cert's issued to dpt.alphatheory.com; you're testing connections to alpha-web01.alphatheory.com. Any sensible browser will scream at that difference. If they didn't, crackers would be able to get a cert for www.somesillyname.com, install it on a spare server, poison the DNS for www.amazon.com and the browsers wouldn't scream as they were redirected. You will get errors from every browser with that cert unless/until they connect to https://dpt.alphatheory.com. - Peter Can I please ask for more assitence ? I'm getting a date error on this site in both IE6 and firefox 1.5 - 2.0 that I don't understand: https://dpt.alphatheory.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
On 1/9/07, robert lazarski <[EMAIL PROTECTED]> wrote: On 1/9/07, Peter Crowther <[EMAIL PROTECTED]> wrote: > > From: robert lazarski [mailto:[EMAIL PROTECTED] > > http://alpha-web01.alphatheory.com/atdev/ > > The cert's issued to dpt.alphatheory.com; you're testing connections to > alpha-web01.alphatheory.com. Any sensible browser will scream at that > difference. If they didn't, crackers would be able to get a cert for > www.somesillyname.com, install it on a spare server, poison the DNS for > www.amazon.com and the browsers wouldn't scream as they were redirected. > > You will get errors from every browser with that cert unless/until they > connect to https://dpt.alphatheory.com. > > - Peter > Can I please ask for more assitence ? I'm getting a date error on this site in both IE6 and firefox 1.5 - 2.0 that I don't understand: https://dpt.alphatheory.com/ On firefox 1.5 I'm getting "could not verify the cert because the issuer is unknown . Any ideas ? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert, robert lazarski wrote: > Can I please ask for more assitence ? I'm getting a date error on this > site in both IE6 and firefox 1.5 - 2.0 that I don't understand: > > https://dpt.alphatheory.com/ I receive no warnings or errors of any kind when visiting the above URL. Firefox (2.0.0.1 on winXP) reports a good cert issued and signed by VeriSign with validity dates from 2007-01-07 through 2008-01-09. The encryption being used is AES-256 in my case. MSIE (6.0.2900.2180 on winXP) reports the same information, and says that the "status" is "This certificate is OK" in the Certification Path tab of the Certificate dialog. Oddly enough, double-clicking on the "lock" icon in the status bar of MSIE (or clicking the "Certificates" button from the page properties dialog) /sometimes/ (but not always) results in a message that the cert has expired or is not yet valid. There were never any warnings that came up at any point in either browser. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFpAR39CaO5/Lv0PARAtQQAJ9iPLbzFkONgpiinTk8hZrhvAcJ6wCgwYdI 2KDTXJO1K2skpPdCTLx7Krw= =i8lJ -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can APR use verisign certs ?
> From: robert lazarski [mailto:[EMAIL PROTECTED] > Subject: Re: Can APR use verisign certs ? > > Can I please ask for more assitence ? I'm getting a date error on this > site in both IE6 and firefox 1.5 - 2.0 that I don't understand: > > https://dpt.alphatheory.com/ I'm getting somewhat different results than you are. IE6 gets to the JBoss startup page with no problem, as well as the Tomcat status and JMX Console pages. It's only when downloading the JBoss Web Console applet that an invalid certificate warning pops up. The date range is fine; the problem is due to "The security certificate was issued by a company that is not trusted." The latter may be because I haven't updated my JDK lately on the machine I'm running the browser on, and it may have an out-of-date trust list. What JRE/JDK level is on the system running the browser? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
On 1/9/07, Caldarale, Charles R <[EMAIL PROTECTED]> wrote: > From: robert lazarski [mailto:[EMAIL PROTECTED] > Subject: Re: Can APR use verisign certs ? > > Can I please ask for more assitence ? I'm getting a date error on this > site in both IE6 and firefox 1.5 - 2.0 that I don't understand: > > https://dpt.alphatheory.com/ I'm getting somewhat different results than you are. IE6 gets to the JBoss startup page with no problem, as well as the Tomcat status and JMX Console pages. It's only when downloading the JBoss Web Console applet that an invalid certificate warning pops up. The date range is fine; the problem is due to "The security certificate was issued by a company that is not trusted." The latter may be because I haven't updated my JDK lately on the machine I'm running the browser on, and it may have an out-of-date trust list. What JRE/JDK level is on the system running the browser? - Chuck I'm in brazil and with pt_BR which inverts month and day - which I think explains my date errors. The error we both seem to be seeing, "The security certificate was issued by a company that is not trusted." seems to be only on firefox 1.5 - with or without java 1.5_08 installed. Can anyone confirm that? If its not Java, any ideas? Another poster seemed to say it worked in IE6 and firefox 2.0 , which is what I'm seeing . - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
"robert lazarski" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On 1/9/07, Peter Crowther <[EMAIL PROTECTED]> wrote: >> > From: robert lazarski [mailto:[EMAIL PROTECTED] >> > http://alpha-web01.alphatheory.com/atdev/ >> >> The cert's issued to dpt.alphatheory.com; you're testing connections to >> alpha-web01.alphatheory.com. Any sensible browser will scream at that >> difference. If they didn't, crackers would be able to get a cert for >> www.somesillyname.com, install it on a spare server, poison the DNS for >> www.amazon.com and the browsers wouldn't scream as they were redirected. >> >> You will get errors from every browser with that cert unless/until they >> connect to https://dpt.alphatheory.com. >> >> - Peter >> > > Can I please ask for more assitence ? I'm getting a date error on this > site in both IE6 and firefox 1.5 - 2.0 that I don't understand: > > https://dpt.alphatheory.com/ > You have the expired intermediate cert for Verisign. As a result, the browser can't verify you because it thinks that the cert that signed yours has expired. You need to get the new one from Verisign and import that one instead. > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
On 1/9/07, Bill Barker <[EMAIL PROTECTED]> wrote: > https://dpt.alphatheory.com/ > You have the expired intermediate cert for Verisign. As a result, the browser can't verify you because it thinks that the cert that signed yours has expired. You need to get the new one from Verisign and import that one instead. I had two issues: one for an invalid date (that no one else saw) due to to a locale issue I think - interveting day and month - and another with the error "The security certificate was issued by a company that is not trusted" only on firefox 1.5 . Which issue are you referring to has " expired intermediate cert" ? The latter "company that is not trusted" is unacceptable to us and needs to be solved somehow. Thanks! Robert - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
"robert lazarski" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On 1/9/07, Bill Barker <[EMAIL PROTECTED]> wrote: >> > https://dpt.alphatheory.com/ >> > >> >> You have the expired intermediate cert for Verisign. As a result, the >> browser can't verify you because it thinks that the cert that signed >> yours >> has expired. You need to get the new one from Verisign and import that >> one >> instead. >> > > I had two issues: one for an invalid date (that no one else saw) due > to to a locale issue I think - interveting day and month - and another > with the error "The security certificate was issued by a company that > is not trusted" only on firefox 1.5 . Which issue are you referring to > has " expired intermediate cert" ? The latter "company that is not > trusted" is unacceptable to us and needs to be solved somehow. > Now, with IE 7 (I was using 6 before), the page comes up fine. This means that you probably aren't sending the intermediate cert, and the browser is just using the one that it has. If you do "view certificates" and go to the "certification path" tab (at least for IE, I don't have FF here), you will see three certs in the chain. Older browsers are going to show the middle one as expired, and hence no good. Hence you should download the good cert from VS and point to it with the "SSLCertificateChainFile" attribute. > Thanks! > Robert > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can APR use verisign certs ?
> From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker > Subject: Re: Can APR use verisign certs ? > > Now, with IE 7 (I was using 6 before), the page comes up fine. What happens if you click on the JBoss Web Console link (bottom left)? When I try it with IE7 (and IE6, for that matter), I get a Java message box stating "The web site's certificate cannot be verified." Clicking the More Information link shows "The certificate was issued by a source that is not trusted." Clicking on No prevents the applet that normally runs in the left pane from being downloaded. (This is with both JDK 1.6.0-b105 and 1.5.0_10-b03, by the way.) I think there are multiple certificate verification mechanisms at play here, which may be contributing to the confusion. Windows/IE has one, Firefox appears to have its own, and Java yet another. It seems that only the Windows/IE mechanism recognizes the dpt.alphatheory.com certificate as being issued by a known, trusted provider. I don't know enough about what actually gets checked to try to figure out why the alphatheory certificate issuer isn't known to Firefox or Java. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
Since I can't get the cert tree, I'm guessing the same problem: Only this time with the JDK's stored certs. Configuring the to force sending the good intermediate cert should solve all of the problems. In all the gory details, it seems that at the moment the app in question is only sending it's own cert back to the browser (instead of the entire chain). However all browsers recognize Verisign's cert as a signer, so they don't care. Older browsers (or JDKs :) will have the expired copy of VS's intermediate cert, and so can't validate the cert chain anymore, and so will give an error (those of us using Apache Httpd have had this problem for awhile now :). The solution is to force TC to send the newer intermediate cert back with the handshake, so the browser/JDK only has to find the root VS cert. "Caldarale, Charles R" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker > Subject: Re: Can APR use verisign certs ? > > Now, with IE 7 (I was using 6 before), the page comes up fine. What happens if you click on the JBoss Web Console link (bottom left)? When I try it with IE7 (and IE6, for that matter), I get a Java message box stating "The web site's certificate cannot be verified." Clicking the More Information link shows "The certificate was issued by a source that is not trusted." Clicking on No prevents the applet that normally runs in the left pane from being downloaded. (This is with both JDK 1.6.0-b105 and 1.5.0_10-b03, by the way.) I think there are multiple certificate verification mechanisms at play here, which may be contributing to the confusion. Windows/IE has one, Firefox appears to have its own, and Java yet another. It seems that only the Windows/IE mechanism recognizes the dpt.alphatheory.com certificate as being issued by a known, trusted provider. I don't know enough about what actually gets checked to try to figure out why the alphatheory certificate issuer isn't known to Firefox or Java. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
On 1/10/07, Bill Barker <[EMAIL PROTECTED]> wrote: In all the gory details, it seems that at the moment the app in question is only sending it's own cert back to the browser (instead of the entire chain). However all browsers recognize Verisign's cert as a signer, so they don't care. Older browsers (or JDKs :) will have the expired copy of VS's intermediate cert, and so can't validate the cert chain anymore, and so will give an error (those of us using Apache Httpd have had this problem for awhile now :). The solution is to force TC to send the newer intermediate cert back with the handshake, so the browser/JDK only has to find the root VS cert. I think I fixed this via the SSLCertificateChainFile param and the immediary cert from verisign . So on my tests, ie6 , firefox 1.5 and firefox 2.0 . Could I please get some independant verification for this site before I tell my company its working? https://dpt.alphatheory.com/ Great community here , the help has been greatly appreciated!!! Robert - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
with firefox 2.0 on x86_64 linux works fine. same with mozilla 1.7.13 even koqueror says the certificate is valid. regards Leon On 1/10/07, robert lazarski <[EMAIL PROTECTED]> wrote: On 1/10/07, Bill Barker <[EMAIL PROTECTED]> wrote: > > In all the gory details, it seems that at the moment the app in question is > only sending it's own cert back to the browser (instead of the entire > chain). However all browsers recognize Verisign's cert as a signer, so they > don't care. Older browsers (or JDKs :) will have the expired copy of VS's > intermediate cert, and so can't validate the cert chain anymore, and so will > give an error (those of us using Apache Httpd have had this problem for > awhile now :). The solution is to force TC to send the newer intermediate > cert back with the handshake, so the browser/JDK only has to find the root > VS cert. > I think I fixed this via the SSLCertificateChainFile param and the immediary cert from verisign . So on my tests, ie6 , firefox 1.5 and firefox 2.0 . Could I please get some independant verification for this site before I tell my company its working? https://dpt.alphatheory.com/ Great community here , the help has been greatly appreciated!!! Robert - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can APR use verisign certs ?
> From: Leon Rosenberg [mailto:[EMAIL PROTECTED] > Subject: Re: Can APR use verisign certs ? > > with firefox 2.0 on x86_64 linux works fine. > same with mozilla 1.7.13 > even koqueror says the certificate is valid. Looks like something changed overnight. I now have no problems getting to the main dpt.alphatheory.com page or the Web Console applet with IE6, IE7, and Firefox 2. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can APR use verisign certs ?
robert lazarski wrote: On 1/10/07, Bill Barker <[EMAIL PROTECTED]> wrote: https://dpt.alphatheory.com/ +1 Mozilla/5.0 (X11; U; Linux x86_64 ... +1 GNU Wget 1.10.2 (Red Hat modified) So, it looks fine to me. Regards, Mladen. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
