SSL handshake failed
Solution 1
It probably means you are using a chained certificate, and did not use the SSLCACertificateFile /path/to/gd.bundle.crt directive. Godaddy, Starfield and a few others use a bundle .crt file.
Edited: After a bit of testing, I was able to duplicate the error using svn as indicated in your other post by disabling the SSL engine. It appears that you don't have https configured for that host/port.
In your virtualhost listing (this may be automatic depending on the control panel you use)
<VirtualHost 1.2.3.4:8443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/path.to.domain.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.2048.key
If you are using port 8443, something similar to the above would turn on SSL. I would suspect that part of the configuration is wrong and while your Listen directive has the port open, the SSL engine is not enabled for that port.
Solution 2
It means some part of the initial SSL negotiation failed. It's a very generic error. The fact that it's on a custom port means nothing (assuming you have both the client and server pointed to the right port).
Edit in regards to Update 3:
If you have a VirtualHost declaration somewhere, put the SSLEngine on
in that directive. If not, it's probably best to put it in the ` directive; or next to where you configure SSLCertificateFile (which aught to be in the IfModule directive anyway, unless it's more appropriate to have it somewhere else, every system is different, sorry for the million options answer).
Related videos on Youtube
Ben
Updated on September 17, 2022Comments
-
Ben over 1 year
What does this error message mean for SSL running on a custom port? I'm running Ubuntu.
Update
I will say that this is not using a 3rd party SSL certificate and is one generated on our own server.
Another Update
My
/etc/apache2/ports.conf
file reads:NameVirtualHost *:80 Listen 80 <IfModule mod_ssl.c> # SSL name based virtual hosts are not yet supported, therefore no # NameVirtualHost statement here Listen 668 </IfModule>
dav_svn.conf
reads:<Location /svn/web/> DAV svn SVNParentPath /var/svn-repos/web/ AuthType Basic AuthName "SVN Repository" AuthUserFile /etc/svn-auth-file Require valid-user </Location>
Do I need to specify a port on dav_svn.conf?
Update 3 I've realized now that nowhere am I running
SSLEngine On
- at least not that I can find.httpd.conf is completely blank. All I have running on this server is SVN at
/svn/
as specified withindav_svn.conf
How should I enable SSL, via
dav_svn.conf
?Solution
I added the following to
httpd.conf
<VirtualHost *:668> <IfModule mod_ssl.c> SSLCertificateFile /var/server.crt SSLCertificateKeyFile /var/server.key SSLEngine on </IfModule> </VirtualHost>
-
warren almost 14 years
-
-
Warner almost 14 yearsThat typically produces a CA error. SSL negotiation failed can be a lot of things but often it's generated by a client interaction, as Chris S more or less pointed out. It's not just chained certs it's any cert where the root cert is newer or not included in the bundle. This applies to a lot of Extended Verification certs. Newer CAs/smaller are particularly prone to this issue.
-
user6738237482 almost 14 yearsHe was using svn rather than a browser and svn is a bit more picky. However, I am able to duplicate that error with SVN by disabling the SSL engine for port 443. While his apache is configured to answer for port 443, it is more likely that it is not answering as HTTPS, but rather answering HTTP on port 443.
-
Warner almost 14 yearsWhat does SVN have to do with his question? That is one of the potential causes. Another, I believe, is a client prematurely terminating the connection before completion of handshake. I recommend editing your answer, as it's pushing inaccurate.
-
user6738237482 almost 14 yearsserverfault.com/questions/151877/ssl-handshake-failed this is his other question which seems related. svn does not handle errors the same way that a browser does and is often much more terse. I incorrectly assumed that SSL was indeed working on the port and didn't test my theory before posting. I apologize for that. Feel free to flag my answer or downvote it and post your own answer if you have something to add.
-
Warner almost 14 yearsAh right, good deal. I helped fix your markup. It was the "----" that caused the text above to be treated as a header. I try not to down vote, thanks for the consideration.
-
Ben almost 14 yearsHow can I be sure that SSL is being loaded by apache?
-
Philip almost 14 yearsTest it with a normal web browser.