NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2

Hi.

My production server is currently running
Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g

and I'm test driving
Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g

I have a secure server certificate from Verisign, and the intermediate cert from
their website installed as the SSLCertificateChainFile.

Things work fine on the production platform. On the test platform, things work
fine using IE6 or Opera as the browser, and the certificate details are okay on
inspection.

However, Netscape 7 (and also Mozilla, BTW) returns the error
The certificate was issued by a certificate authority
that Netscape 7.0 does not recognize
which would seem to be a cert chain problem. Probing with openssl s_client does
not suggest a server problem. You can, of course, just tell NS7 to permanently
accept the cert and continue, but it's upsetting to some users to have to do that.

Info at mozilla.org suggests that, at least up til recently, there have been
known SSL/TLS issues, but I don't see anything quite like this.

Anyone with a similar experience/problem/solution?

Thanks in advance.
John Chambers


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2

To my knowledge the Netscape behaviour is actually the normal one. If
the server certificate is not installed in their browser Trusted
certificate store (ot its higher parent) then there is no way its
going to recognize it as a trusted certificate.

Regards
Jose


-----Original Message-----
From: J. B. Chambers [mailto:jbc@cs.utexas.edu]
Sent: 03 October 2002 17:41
To: modssl-users@modssl.org
Subject: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2


Hi.

My production server is currently running
Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g

and I'm test driving
Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g

I have a secure server certificate from Verisign, and the intermediate
cert from
their website installed as the SSLCertificateChainFile.

Things work fine on the production platform. On the test platform,
things work
fine using IE6 or Opera as the browser, and the certificate details
are okay on
inspection.

However, Netscape 7 (and also Mozilla, BTW) returns the error
The certificate was issued by a certificate authority
that Netscape 7.0 does not recognize
which would seem to be a cert chain problem. Probing with openssl
s_client does
not suggest a server problem. You can, of course, just tell NS7 to
permanently
accept the cert and continue, but it's upsetting to some users to have
to do that.

Info at mozilla.org suggests that, at least up til recently, there
have been
known SSL/TLS issues, but I don't see anything quite like this.

Anyone with a similar experience/problem/solution?

Thanks in advance.
John Chambers


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2

[I had to be out of the office, sorry to be slow in following up]

Thanks for the reply, Jose. Either I posed my question poorly or I don't
understand your answer.

I have two servers running (they are on the same host (distinguished ports), the
CN value in the certificate won't be an issue). One is Apache1+modssl-addon, the
other is Apache2+modssl-builtin. Both are set up with a copy of our secure
server certificate from Verisign (SSLCertificateFile), and the Verisign-provided
intermediate certificate (SSLCertificateChainFile). (And of course both have the
same SSLCertificateKeyFile).

Now. When I point IE6 (or Opera) at either server, it recognizes the
intermediate certificate, figures out that it knows who Verisign is (in its
list of known CAs), and trusts our Verisign-issued server cert.

If I point Netscape at the Apache1 version, it behaves in this way also.

If I now point Netscape at the trial Apache2 setup, it claims that (as noted)
the server cert was issued by an unrecognized CA.

So .. the only way I can articulate this situation is .. that there is some
difference in the way the mod_ssl addon for Apache 1 and the mod_ssl builtin for
Apache 2 delivers intermediate certificate chain info, and that only Netscape
seems to be sensitive to the difference.

Jose Correia (J) wrote:
> To my knowledge the Netscape behaviour is actually the normal one. If
> the server certificate is not installed in their browser Trusted
> certificate store (ot its higher parent) then there is no way its
> going to recognize it as a trusted certificate.
>
> Regards
> Jose
>
>
> -----Original Message-----
> From: J. B. Chambers [mailto:jbc@cs.utexas.edu]
> Sent: 03 October 2002 17:41
> To: modssl-users@modssl.org
> Subject: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2
>
>
> Hi.
>
> My production server is currently running
> Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g
>
> and I'm test driving
> Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g
>
> I have a secure server certificate from Verisign, and the intermediate
> cert from
> their website installed as the SSLCertificateChainFile.
>
> Things work fine on the production platform. On the test platform,
> things work
> fine using IE6 or Opera as the browser, and the certificate details
> are okay on
> inspection.
>
> However, Netscape 7 (and also Mozilla, BTW) returns the error
> The certificate was issued by a certificate authority
> that Netscape 7.0 does not recognize
> which would seem to be a cert chain problem. Probing with openssl
> s_client does
> not suggest a server problem. You can, of course, just tell NS7 to
> permanently
> accept the cert and continue, but it's upsetting to some users to have
> to do that.
>
> Info at mozilla.org suggests that, at least up til recently, there
> have been
> known SSL/TLS issues, but I don't see anything quite like this.
>
> Anyone with a similar experience/problem/solution?
>
> Thanks in advance.
> John Chambers
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2

Hi John

Yeah, I just wanted to make sure that your chain file was setup
correctly which it seems to be.

Unfortunately I have only used Apache 1.3.x and I haven't used any
chain certificates as yet (just used my own generated certificates).

The only thing I can think of is to compare the CA details in the
Netscape truststore to the details of the CA available on the Apache
side (using openssl to view it), just to eleminate that possibility.

Try joining the netscape security mailing list and see if you can get
any info there??

Regards
Jose


-----Original Message-----
From: J. B. Chambers [mailto:jbc@cs.utexas.edu]
Sent: 10 October 2002 20:56
To: modssl-users@modssl.org
Subject: Re: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2


[I had to be out of the office, sorry to be slow in following up]

Thanks for the reply, Jose. Either I posed my question poorly or I
don't
understand your answer.

I have two servers running (they are on the same host (distinguished
ports), the
CN value in the certificate won't be an issue). One is
Apache1+modssl-addon, the
other is Apache2+modssl-builtin. Both are set up with a copy of our
secure
server certificate from Verisign (SSLCertificateFile), and the
Verisign-provided
intermediate certificate (SSLCertificateChainFile). (And of course
both have the
same SSLCertificateKeyFile).

Now. When I point IE6 (or Opera) at either server, it recognizes the
intermediate certificate, figures out that it knows who Verisign is
(in its
list of known CAs), and trusts our Verisign-issued server cert.

If I point Netscape at the Apache1 version, it behaves in this way
also.

If I now point Netscape at the trial Apache2 setup, it claims that (as
noted)
the server cert was issued by an unrecognized CA.

So .. the only way I can articulate this situation is .. that there is
some
difference in the way the mod_ssl addon for Apache 1 and the mod_ssl
builtin for
Apache 2 delivers intermediate certificate chain info, and that only
Netscape
seems to be sensitive to the difference.

Jose Correia (J) wrote:
> To my knowledge the Netscape behaviour is actually the normal one.
If
> the server certificate is not installed in their browser Trusted
> certificate store (ot its higher parent) then there is no way its
> going to recognize it as a trusted certificate.
>
> Regards
> Jose
>
>
> -----Original Message-----
> From: J. B. Chambers [mailto:jbc@cs.utexas.edu]
> Sent: 03 October 2002 17:41
> To: modssl-users@modssl.org
> Subject: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2
>
>
> Hi.
>
> My production server is currently running
> Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g
>
> and I'm test driving
> Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g
>
> I have a secure server certificate from Verisign, and the
intermediate
> cert from
> their website installed as the SSLCertificateChainFile.
>
> Things work fine on the production platform. On the test platform,
> things work
> fine using IE6 or Opera as the browser, and the certificate details
> are okay on
> inspection.
>
> However, Netscape 7 (and also Mozilla, BTW) returns the error
> The certificate was issued by a certificate authority
> that Netscape 7.0 does not recognize
> which would seem to be a cert chain problem. Probing with openssl
> s_client does
> not suggest a server problem. You can, of course, just tell NS7 to
> permanently
> accept the cert and continue, but it's upsetting to some users to
have
> to do that.
>
> Info at mozilla.org suggests that, at least up til recently, there
> have been
> known SSL/TLS issues, but I don't see anything quite like this.
>
> Anyone with a similar experience/problem/solution?
>
> Thanks in advance.
> John Chambers
>
>
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
> User Support Mailing List
modssl-users@modssl.org
> Automated List Manager
majordomo@modssl.org
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
> User Support Mailing List
modssl-users@modssl.org
> Automated List Manager
majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org