/ Zope / Apsis / Pound Mailing List / Archive / 2006 / 2006-08 / Verisign Still Problematic with Pound?

[ << ] [ >> ]

[ RewriteRule? / beno <zope(at)2012.vi> ] [ Install - no /usr/local/etc/pound.cfg created / ... ]

Verisign Still Problematic with Pound?
"Mathew Brown" <mathewbrown(at)fastmail.fm>
2006-08-08 09:27:22 [ FULL ]
  We're currently evaluating using Verisign certificates and using Pound
  as an SSL wrapper.  However, searching through the mailing list, I ran
  into the following issue regarding Pound and Verisign:

Basically, when Verisign introduced intermediate certificates in 2004,
it broke Pound's SSL wrapper capabilities.  The user (Jonathan Cyr) was
able to fix it (somewhat) but it still didn't work on Mozilla browsers. 
Any ideas?  Thanks for your time.[...]

Re: [Pound Mailing List] Verisign Still Problematic with Pound?
Jonathan Cyr <cyrj(at)cyr.info>
2006-08-09 00:43:16 [ FULL ]

So happy my rantings are helping someone....

No one on the Pound list or the OpenSSL list could help me, at the 
time.  So I traded in my $600 Verisign Cert for a $65 one at freessl.com 
(now rapidssl.com)... and it worked in 10 freakin minutes.  We've been 
using Pound ever since, very happily.  The RapidSSL.com certificate is 
signed by Equifax rather than Verisign, a credit report authority.

Ditch the Verisign certificate for any other vendor, their PEM/CSR 
generation process is flawed, and never was figured out with this niche 
problem.   PS... Verisign's tech support will not help you... they have 
no concept of Pound/OpenSSL vs. Apache/OpenSSL... and have outsourced 
their tech support to somewhere far far away.

The clue was... the self-signed certificates work perfectly... don't they?

Good Luck,


Mathew Brown wrote:[...]

Re: [Pound Mailing List] Verisign Still Problematic with Pound?
Ondra Kudlik <kepi(at)orthank.net>
2006-08-09 08:46:16 [ FULL ]
t, srp 08, 2006 ve 06:43:16 -0400, Jonathan Cyr napsal:[...]

We are using rapidssl certificates as well and I can confirm that they works 
without problems as for self-signed :)

Re: [Pound Mailing List] Verisign Still Problematic with Pound?
"Mathew Brown" <mathewbrown(at)fastmail.fm>
2006-08-10 10:36:41 [ FULL ]
Thanks for your input Jonathan.  Would getting a RapidSSL.com
certificate signed by Equifax give any kind of warning in the client's
browser?  I know that Verisign is exceptionally good in that even old
browsers know Verisign and trust it.  Is Equifax good with old browser?

PS.  I'm going to try the process using a test certificate from Verisign
and get back to you with my feedback.  Jonathan, as you are aware of the
process, would you be willing to test it out?  Thanks.

On Tue, 08 Aug 2006 18:43:16 -0400, "Jonathan Cyr" <cyrj(at)cyr.info>

Re: [Pound Mailing List] Verisign Still Problematic with Pound?
Ondra Kudlik <kepi(at)orthank.net>
2006-08-10 11:26:06 [ FULL ]

I think you can try it for your own :) We have rapidssl certificate
i.e. on site https://www.igloonet.cz/
which is behind pound or on
https://www.recykl.com/ (but guys have
included one nonssl source,
so browser will warn you about this).

We have no problems with all current browser, so you can try some

I will appreciate your report


Čt, srp 10, 2006 ve 01:36:41 -0700, Mathew Brown napsal:[...]