SSL peer was unable to negotiate an acceptable set of security parameters
Solution 1
Great! So just to be clear, you were at the point where the error was SSL_ERROR_HANDSHAKE_FAILURE_ALERT
. One nice way to investigate is with
openssl s_client -state -debug -showcerts -verify 0 -connect example.com:443
(and all sorts of useful options) and you were helpful enough to have provided the actual server name.
Handshake error is caused by, well, an error during the SSL / TLS handshake. We got the certificate just fine, which led me to assume that the problem was either something failing in response to CertificateRequest
from the server, or something funky with the cipher suite. The latter problem has its own set of error messages now that I think about it more. Firefox's NSS and SSL Error Codes is handy here.
SSLVerifyClient require
in the Apache configuration will indeed require that the client present a valid certificate to authenticate to the server, which was the problem as you confirm.
Solution 2
web server is likely requiring client to authenticate...in apache server it is in httpd.conf...."SSLVerifyClient require" this requires you to have a "Your Certificate" loaded in Firefox...AND the CA certificate chains loaded as well.
the problem is that the Personal or CA Server certificates
might not be tied across the CA chains. might be expired. might be corrupted.
try to reimport the personal certificate reimport all CA referenced in the personal certificate
HOWTO Tools,Options,Encryption,View Certificates Your Certificates....Import your certificate from PKCS12 file *.p12 Servers, Import, certifiate files *.cer you may need several of these depending on the chain
Related videos on Youtube
animuson
I work for Stack Overflow as a Senior Product Support Specialist.
Updated on September 17, 2022Comments
-
animuson over 1 year
I followed section 1B of this guide to create a certificate and sign it on my own and set up Apache to use that certificate, but whenever I try to view my website securely, Firefox spits out this error:
Secure Connection Failed
An error occurred during a connection to animuson.com.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
I tried it with 4096 first. Then, instead of using the 4096 that is in the guide, I used 1028 instead (which I thought was the normal size to use). I'm using APache2 on CentOS 5...
From "/etc/httpd/conf/extra/httpd-ssl.conf" (compressed together, of course):
Listen 443 SSLEngine On SSLCertificateFile "/etc/httpd/conf/ssl/server.crt" SSLCertificateKeyFile "/etc/httpd/conf/ssl/server.key"
Any ideas?
EDIT
I moved the miles from their default ssl.key and ssl.crt directories and I did something else that I don't remember, which seemed to work. It started showing the 'Add Exception' page and I installed by root certificate to my brower, now it displays the following error:
Secure Connection Failed
An error occurred during a connection to animuson.com.
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)
I don't have any idea what this means or what information you might need to help me out with it.
-
elmo almost 14 yearsMight have been easier this if you hadn't compressed your configuration. Do you have VirtualHost setup covering :443?
-
user2910702 almost 14 yearsYou might be doing http on the https port. Check with nc or telnet.
-
medina almost 14 yearsGot anything else going on in your config SSL-wise? This message comes from SSL_ERROR_HANDSHAKE_FAILURE_ALERT (as seen with
openssl s_client -connect [...]
). Have you gotSSLVerifyClient
, something funky withSSLCipherSuite
, etc?
-
-
animuson almost 14 yearsThanks to @medina above, for some reason SSLVerifyClient was set to require instead of none (default). I just commented out the line and it started working. I'm not at all experienced with the OpenSSL stuff so I didn't know what settings to even look at for this. Thanks again. :)