SSL Cannot Make A Handshake
After strictly following the SSL certificate authority documentation, I'm stumped to solve the reason for this error. When accessing my website via HTTPS Firefox spits out the following error:
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)
I went back and found this in the SSL error log (domain was modified on purpose):
[Mon May 09 02:11:05 2011] [warn] RSA server certificate wildcard CommonName (CN) `*.domain.com' does NOT match server name!?
Where is the server name defined? I can't find a reasonable explanation in my httpd-ssl.conf file to solve this error. Thanks for your help!
Update Finally solved the problem, detailed below:
Unfortunately it was created by a default value in my Apache distribution. The option:
SSLVerifyClient require
Actually needed to be set as:
SSLVerifyClient optional
开发者_开发百科
I'm not issuing client certs just yet. However credit is due to the answers for narrowing the problem. I appreciate the help!
That line in your logfile might matter later, but it's only a [warn] and it's not what handshake_failure means. Handshake_failure means that a cipher suite could not be negotiated -- no cipher suite is supported by both client and server. Look at what ciphers are supported by your server.
Edit: I always forget that if a client fails to provide a required certificate, that also results in handshake_failure (section 7.4.6).
SSL compares the CommonName with the name of the server you actually try to connect to.
Possibly you are using an alternative name like 'localhost' or an IP Adress.
Solved the problem, and unfortunately it was created by a default value in my Apache distribution. The option:
SSLVerifyClient require
Actually needed to be set as:
SSLVerifyClient optional
I'm not issuing client certs just yet. However credit is due to the answers for narrowing the problem. I appreciate the help!
精彩评论