ssl_error_handshake_failure_alert with Commercial CA-based client certificate
Solution 1
Seeing that the handshake fails it could be that the client doesn't understand (or is configured to use) the negotiated SSL Protocol. Check eg in FF whether all SSL protocols are enabled (SSL2, SSL3, TLSv1) and match that up with the SSL protocol configured for Apache.
update: it might also be usefull to do a network trace to see what cypher suites both client and server support. Maybe they cannot find matching suite and hence the handshake fails.
or setting up the modssl log can reveal some more detail as well : http://www.modssl.org/docs/2.8/ssl_reference.html#ToC19
Solution 2
Are you by any chanced running Debian/Lenny?
We ran into a similiar issue and finally found out that accepted certificates now mustn't have MD5 (SHA-something is fine) checksum because it's considered insecure.
Our issue was with GnuTLS+OpenLDAP thou. You might want to try a renewed cert or even a self-signed cert before spending more money.
Related videos on Youtube
Admin
Updated on September 17, 2022Comments
-
Admin over 1 year
Attempting to implement client authentication with an SSL cert.
http://www.modssl.org/docs/2.8/ssl_howto.html#auth-selective
Receive the following errors.
Apache: Re-negotiation handshake failed: Not accepted by client!?
Firefox:
ssl_error_handshake_failure_alert
I assume it is a configuration error, but have not been able to locate it.
Additional info: Commercial CA server cert servers secure works without problem in Apache 2.2 & Passenger. Only client authentication related directives do not work.
-
David Pashley almost 15 yearsErm modssl.org is for Apache1.3. Apache2 has SSL built in. Which version are you using?
-
Admin almost 15 yearsIt looks like the SSL configuration is the same for Apache 2.2. httpd.apache.org/docs/2.2/ssl/ssl_howto.html#accesscontrol I will setup the SSL logging tonight to trace the handshake. I think it might be related to the Configuration of the SSLCACertificateFile. httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
-