[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] 128 SSL question/problem
- Subject: RE: [cobalt-users] 128 SSL question/problem
- From: "Sirois, John" <jsirois@xxxxxxxxxxxxxxxxxx>
- Date: Thu Aug 3 14:10:18 2000
I believe this is the same issue I had with VeriSign's 128 bit cert...
you need to do the following:
1.) Obtain an intermediate certificate from Thawte (this whole fix
assumes Thawte deals with 128bit US export issue in the same way
Verisign does) which must be on their website somewhere....and download
it to the secured cobalt sites certs directory, giving it the same
permissions as certificate and a name like intermediateca_certificate.
2.) I did the following (but I have only one secured site currently so I
don't have to worry about mixed 40bit and 128bit sites...my comments
suggest a possible way to deal with this, but I don't know Perl real
well...) to /etc/httpd.conf in the <Perl></Perl> section:
<Perl>
***Cobalt code in here***
# Hardcoded, issues with mod_perl and cobalt modules.
if (/^<\/Virtual/ and (-f "/etc/httpd/ssl/$group")) {
$ret = ssl_cert_check("/home/sites/$group/certs/");
if ($ret=~/^2/o) {
$PerlConfig .= "Listen $ip:443\n";
$PerlConfig .= "<VirtualHost $ip:443>\n";
$PerlConfig .= "SSLengine on\n";
$PerlConfig .= "SSLCertificateFile
/home/sites/$group/certs/certificate\n";
#Mod: HES JS - 7/19/2000
#
# Required for Global server id's and certain browsers
# For more info:
http://www.verisign.com/cus/srv/install/g/
# and choose Red Hat from the nav bar on left
#
# in short, the server requires 2 certificates, and
there is no
# way to do this via the gui. If a non-globalid site is
added
# to the server, the perl logic will have to be enhaced
to
# not only determine if the virt site has ssl enabled
and installed,
# but it will also have to check to see whether or not
it has a
# intermediateca_certificate file before doing the line
below
#
# something like:
# if ( <something to check if
/home/sites/$group/certs/intermediateca_certificate exists> ) {
# $PerlConfig .= "SSLCACertificateFile
/home/sites/$group/certs/intermediateca_certificate\n";
# }
#
$PerlConfig .= "SSLCACertificateFile
/home/sites/$group/certs/intermediateca_certificate\n";#This is the only
line added!
$PerlConfig .= "SSLCertificateKeyFile
/home/sites/$group/certs/key\n";
$PerlConfig .= join('', @ssl_conf);
} elsif (ssl_cert_check("/home/sites/home/certs/") =~ /^2/ )
{
$PerlConfig .= "Listen $ip:443\n";
$PerlConfig .= "<VirtualHost $ip:443>\n";
$PerlConfig .= "SSLengine on\n";
$PerlConfig .= "SSLCertificateFile
/home/sites/home/certs/certificate\n";
$PerlConfig .= "SSLCertificateKeyFile
/home/sites/home/certs/key\n";
$PerlConfig .= join('', @ssl_conf);
} else {
print STDERR "Site $group has invalid certificate:
$ret\n";
}
}
*** More Cobalt Code ***
</Perl>
at the bottom of the #Mod:HES comment block, you'll see the one line I
added.
If this is unclear, contact me off-list...I was under the gun trying to
figure this out with our 128bit client and I'd be happy to help anyone
else out of a similar predicament.
> -----Original Message-----
> From: Brent Sadler [mailto:brent@xxxxxxxxxxx]
> Sent: Thursday, August 03, 2000 12:43 PM
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: [cobalt-users] 128 SSL question/problem
>
>
> Ok,
>
> I have a customer who got a 128 Supercert from Thawte and
> installed it on a
> new domain. Everything seems ok except for when people go to
> the page they
> get a message saying that the cert is set up correctly but
> coming from an
> untrusted source.
>
> Looking at the cert, the problem seems to be that it issued to:
> domainabc.com AND issued by domainabc.com
>
> I believe the Issued by , should have Thawte shouldn't it?
> Thawtes online
> help says that the server is presenting the wrong cert, most
> probably a
> self-signed or temporary one. It says to edit the httpd.conf
> to have it
> point to the proper file.
>
> I looked in the file but I couldn't tell exactly what or
> where to change it.
>
> Any help would be appreciated.
>
> Brent Sadler
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>