ssl error handshake failure alert
I edited my virtualhost configuration and deleted :
SSLVerifyClient require
SSLVerifyDepth 10
And now it is working for server-side authentication. The "SSLVerifyClient require" directive override the lines :
SSLCertificateFile /usr/lib/ssl/demoCA/servercert.pem
SSLCertificateKeyFile /usr/lib/ssl/demoCA/serverkey.pem
SSLCACertificateFile /usr/lib/ssl/demoCA/stcert.pem
And that was the problem. The "SSLVerifyClient require" directive is for client-Side authentication and it makes openSSL to always require a certificate from the client.
Related videos on Youtube
mragrid
Updated on September 18, 2022Comments
-
mragrid over 1 year
I'm getting the error mentioned in the title in Firefox when i try to access my website on my machine. This is the error i get :
An error occurred during a connection to www.st.um. SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert)
This is my virtual host configuration :
<VirtualHost *:443> ServerAdmin [email protected] ServerName www.st.um DocumentRoot /var/www/web <Directory /var/www/web> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> SSLEngine on SSLCertificateFile /usr/lib/ssl/demoCA/servercert.pem SSLCertificateKeyFile /usr/lib/ssl/demoCA/serverkey.pem SSLCACertificateFile /usr/lib/ssl/demoCA/stcert.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown SSLVerifyClient require SSLVerifyDepth 10 </VirtualHost>
The certificate "servercert.pem" is certificated using my CA : "stcert.pem" and i can use the certificate "servercert.pem" with the key "serverkey.pem" perfectly to gain access to the s_server as a server and having my CA imported and trusted in the list of authorities of the web browser :
openssl s_server -cert servercert.pem -key serverkey.pem -www
I also can gain access to my website as a client using a PKCS#12 file generated from a certificate "clientcert.pem" with its key "clientkey.pem".
The only thing that i have in /etc/log/apache2/error.log is :
[Sat May 25 02:44:11 2013] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.6 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- resuming normal operations
-
mragrid almost 11 yearsWhen i try to access my website in my machine i get the ssl error handshake failure alert in the web browser
-
daff almost 11 yearsWhat exactly does the Apache error log say?
-
mragrid almost 11 yearsOK, i just updated the question with the complete error description.
-
mragrid almost 11 yearsI just edited my virtualhost configuration and deleted "SSLVerifyClient require" and "SSLVerifyDepth 10". And now it is working. I could not answer my own question because it is asking me to wait 8 hours for being a beginner.
-