SSL peer was unable to negotiate an acceptable set of security parameters

apache-2.2 centos ssl ssl-certificate httpd
26,581

Solution 1

Great! So just to be clear, you were at the point where the error was SSL_ERROR_HANDSHAKE_FAILURE_ALERT. One nice way to investigate is with

openssl s_client -state -debug -showcerts -verify 0 -connect example.com:443

(and all sorts of useful options) and you were helpful enough to have provided the actual server name.

Handshake error is caused by, well, an error during the SSL / TLS handshake. We got the certificate just fine, which led me to assume that the problem was either something failing in response to CertificateRequest from the server, or something funky with the cipher suite. The latter problem has its own set of error messages now that I think about it more. Firefox's NSS and SSL Error Codes is handy here.

SSLVerifyClient require in the Apache configuration will indeed require that the client present a valid certificate to authenticate to the server, which was the problem as you confirm.

Solution 2

web server is likely requiring client to authenticate...in apache server it is in httpd.conf...."SSLVerifyClient require" this requires you to have a "Your Certificate" loaded in Firefox...AND the CA certificate chains loaded as well.

the problem is that the Personal or CA Server certificates

might not be tied across the CA chains. might be expired. might be corrupted.

try to reimport the personal certificate reimport all CA referenced in the personal certificate

HOWTO Tools,Options,Encryption,View Certificates Your Certificates....Import your certificate from PKCS12 file *.p12 Servers, Import, certifiate files *.cer you may need several of these depending on the chain

Share:
26,581

Related videos on Youtube

animuson
Author by

animuson

I work for Stack Overflow as a Senior Product Support Specialist.

Updated on September 17, 2022

Comments

  • animuson
    animuson over 1 year

    I followed section 1B of this guide to create a certificate and sign it on my own and set up Apache to use that certificate, but whenever I try to view my website securely, Firefox spits out this error:

    Secure Connection Failed

    An error occurred during a connection to animuson.com.

    SSL received a record that exceeded the maximum permissible length.

    (Error code: ssl_error_rx_record_too_long)

    I tried it with 4096 first. Then, instead of using the 4096 that is in the guide, I used 1028 instead (which I thought was the normal size to use). I'm using APache2 on CentOS 5...

    From "/etc/httpd/conf/extra/httpd-ssl.conf" (compressed together, of course):

    Listen 443
SSLEngine On
SSLCertificateFile "/etc/httpd/conf/ssl/server.crt"
SSLCertificateKeyFile "/etc/httpd/conf/ssl/server.key"

    Any ideas?

    EDIT

    I moved the miles from their default ssl.key and ssl.crt directories and I did something else that I don't remember, which seemed to work. It started showing the 'Add Exception' page and I installed by root certificate to my brower, now it displays the following error:

    Secure Connection Failed

    An error occurred during a connection to animuson.com.

    SSL peer was unable to negotiate an acceptable set of security parameters.

    (Error code: ssl_error_handshake_failure_alert)

    I don't have any idea what this means or what information you might need to help me out with it.

    • elmo
      elmo almost 14 years
      Might have been easier this if you hadn't compressed your configuration. Do you have VirtualHost setup covering :443?
    • user2910702
      user2910702 almost 14 years
      You might be doing http on the https port. Check with nc or telnet.
    • medina
      medina almost 14 years
      Got anything else going on in your config SSL-wise? This message comes from SSL_ERROR_HANDSHAKE_FAILURE_ALERT (as seen with openssl s_client -connect [...]). Have you got SSLVerifyClient, something funky with SSLCipherSuite, etc?
  • animuson
    animuson almost 14 years
    Thanks to @medina above, for some reason SSLVerifyClient was set to require instead of none (default). I just commented out the line and it started working. I'm not at all experienced with the OpenSSL stuff so I didn't know what settings to even look at for this. Thanks again. :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSL Library Error: 218570875 error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
SSL connection errors from Apache
Best Apache & MySQL config for 16GB and 8 Cores
sslv3 alert bad certificate when attempting to connect with Mail Client
How to add /home/user/public_html as virtual host in apache - centos
Restart of nginx service fails because of /etc/nginx/nginx.conf test failure
AH00027: No authentication done error after upgrading from Apache 2.2 to 2.4
High RAM usage by Apache without any visitors
Apache2 SSL Certificate error
Apache multiple virtual hosts with ssl certificates