SSL handshake failed

linux apache-2.2 ssl
5,990

Solution 1

It probably means you are using a chained certificate, and did not use the SSLCACertificateFile /path/to/gd.bundle.crt directive. Godaddy, Starfield and a few others use a bundle .crt file.

Edited: After a bit of testing, I was able to duplicate the error using svn as indicated in your other post by disabling the SSL engine. It appears that you don't have https configured for that host/port.

In your virtualhost listing (this may be automatic depending on the control panel you use)

<VirtualHost 1.2.3.4:8443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/path.to.domain.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.2048.key

If you are using port 8443, something similar to the above would turn on SSL. I would suspect that part of the configuration is wrong and while your Listen directive has the port open, the SSL engine is not enabled for that port.

Solution 2

It means some part of the initial SSL negotiation failed. It's a very generic error. The fact that it's on a custom port means nothing (assuming you have both the client and server pointed to the right port).

Edit in regards to Update 3:
If you have a VirtualHost declaration somewhere, put the SSLEngine on in that directive. If not, it's probably best to put it in the ` directive; or next to where you configure SSLCertificateFile (which aught to be in the IfModule directive anyway, unless it's more appropriate to have it somewhere else, every system is different, sorry for the million options answer).

Share:
5,990

Related videos on Youtube

Ben
Author by

Ben

Updated on September 17, 2022

Comments

  • Ben
    Ben over 1 year

    What does this error message mean for SSL running on a custom port? I'm running Ubuntu.

    Update

    I will say that this is not using a 3rd party SSL certificate and is one generated on our own server.

    Another Update

    My /etc/apache2/ports.conf file reads:

    NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    # SSL name based virtual hosts are not yet supported, therefore no
    # NameVirtualHost statement here
    Listen 668
</IfModule>

    dav_svn.conf reads:

      <Location /svn/web/>
        DAV svn
        SVNParentPath /var/svn-repos/web/
        AuthType Basic
        AuthName "SVN Repository"
        AuthUserFile /etc/svn-auth-file
        Require valid-user
  </Location>

    Do I need to specify a port on dav_svn.conf?

    Update 3 I've realized now that nowhere am I running SSLEngine On - at least not that I can find.

    httpd.conf is completely blank. All I have running on this server is SVN at /svn/ as specified within dav_svn.conf

    How should I enable SSL, via dav_svn.conf?

    Solution

    I added the following to httpd.conf

    <VirtualHost *:668>
        <IfModule mod_ssl.c>
                SSLCertificateFile /var/server.crt
                SSLCertificateKeyFile /var/server.key
                SSLEngine on
        </IfModule>
</VirtualHost>
  • Warner
    Warner almost 14 years
    That typically produces a CA error. SSL negotiation failed can be a lot of things but often it's generated by a client interaction, as Chris S more or less pointed out. It's not just chained certs it's any cert where the root cert is newer or not included in the bundle. This applies to a lot of Extended Verification certs. Newer CAs/smaller are particularly prone to this issue.
  • user6738237482
    user6738237482 almost 14 years
    He was using svn rather than a browser and svn is a bit more picky. However, I am able to duplicate that error with SVN by disabling the SSL engine for port 443. While his apache is configured to answer for port 443, it is more likely that it is not answering as HTTPS, but rather answering HTTP on port 443.
  • Warner
    Warner almost 14 years
    What does SVN have to do with his question? That is one of the potential causes. Another, I believe, is a client prematurely terminating the connection before completion of handshake. I recommend editing your answer, as it's pushing inaccurate.
  • user6738237482
    user6738237482 almost 14 years
    serverfault.com/questions/151877/ssl-handshake-failed this is his other question which seems related. svn does not handle errors the same way that a browser does and is often much more terse. I incorrectly assumed that SSL was indeed working on the port and didn't test my theory before posting. I apologize for that. Feel free to flag my answer or downvote it and post your own answer if you have something to add.
  • Warner
    Warner almost 14 years
    Ah right, good deal. I helped fix your markup. It was the "----" that caused the text above to be treated as a header. I try not to down vote, thanks for the consideration.
  • Ben
    Ben almost 14 years
    How can I be sure that SSL is being loaded by apache?
  • Philip
    Philip almost 14 years
    Test it with a normal web browser.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Possible locations of ssl.conf and httpd.conf
Renew SSL certificate with Apache
OpenVPN port-share with apache 443/10443 not working
How to assign multiple public IP-Adresses for 2 KVM-Guests
Apache cached old ssl certificate
bind apache ssl port with different port with same openssl port 443
How do I transfer an SSL certificate from an Apache server to an NGINX server
Failed to configure CA certificate chain
Can an SSL certificate be on a single line in a file (no line breaks)?
Setting up SSL on apache on linux ubuntu