Re: [RHEL6.2] SSL handshake failure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks a ton, Igor!

I copied SSLCiperSuite in the conf file of httpd_2.2.21, and it works!

Cheers,
-Aubrey

#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

On Mon, Mar 19, 2012 at 5:50 AM, Igor Cicimov <icicimov@xxxxxxxxx> wrote:
> "[Mon Mar 19 06:51:12 2012] [info] SSL Library Error: 336109761
> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_ HELLO:no shared cipher Too
> restrictive SSLCipherSuite or using DSA server certificate?"
>
> Check the SSLCipherSuite directive in your SSL host as the error says it
> might be too restrictive. Try adding more options.
>
> On Mar 19, 2012 2:00 AM, "Aubrey Li" <aubreylee@xxxxxxxxx> wrote:
>>
>> Here is what I got when I put the loglevel to debug in httpd.conf
>> ===============================================================
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_kernel.c(1866): OpenSSL:
>> Handshake: start
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_kernel.c(1874): OpenSSL:
>> Loop: before/accept initialization
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1897): OpenSSL:
>> read 11/11 bytes from BIO#7fa4600011a0 [mem: 7fa460006ac0] (BIO dump
>> follows)
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1830):
>>
>> +-------------------------------------------------------------------------+
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1869): | 0000: 16
>> 03 00 00 2d 01 00 00-29 03                    ....-...).       |
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1873): | 0011 -
>> <SPACES/NULS>
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1875):
>>
>> +-------------------------------------------------------------------------+
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1897): OpenSSL:
>> read 39/39 bytes from BIO#7fa4600011a0 [mem: 7fa460006acb] (BIO dump
>> follows)
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1830):
>>
>> +-------------------------------------------------------------------------+
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1869): | 0000: 4f
>> 66 66 ec 02 5d 92 3d-4d db ee c7 10 f5 d5 43  Off..].=M......C |
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1869): | 0010: 3e
>> 16 87 86 7b c9 a0 88-db 60 5a c8 f1 46 10 8f  >...{....`Z..F.. |
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1869): | 0020: 00
>> 00 02 00 04 01                                ......           |
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1873): | 0039 -
>> <SPACES/NULS>
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1875):
>>
>> +-------------------------------------------------------------------------+
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_kernel.c(1884): OpenSSL:
>> Write: SSLv3 read client hello C
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_kernel.c(1903): OpenSSL:
>> Exit: error in SSLv3 read client hello C
>> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_kernel.c(1903): OpenSSL:
>> Exit: error in SSLv3 read client hello C
>> [Mon Mar 19 06:51:12 2012] [info] [client 10.2.1.2] SSL library error
>> 1 in handshake (server www.example.com:443)
>> [Mon Mar 19 06:51:12 2012] [info] SSL Library Error: 336109761
>> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Too
>> restrictive SSLCipherSuite or using DSA server certificate?
>> [Mon Mar 19 06:51:12 2012] [info] [client 10.2.1.2] Connection closed
>> to child 2 with abortive shutdown (server www.example.com:443)
>> ==================================================================
>> quite strange, openssl s_client command can pass the SSL handshake while
>> this java application cannot.
>>
>> openssl version is 0.9.8u
>>
>> Welcome any inputs!
>>
>> Thanks,
>> -Aubrey
>>
>>
>> On Fri, Mar 16, 2012 at 1:50 AM, Mark Montague <mark@xxxxxxxxxxx> wrote:
>> > On March 15, 2012 13:31 , Aubrey Li <aubreylee@xxxxxxxxx> wrote:
>> >>
>> >> Thanks for your reply. here is the output of httpd -V. [...]
>> >>
>> >>
>> >>  -D HTTPD_ROOT="/export/bench/benchmarks/apache2"
>> >>  -D SUEXEC_BIN="/export/bench/benchmarks/apache2/bin/suexec"
>> >>  -D DEFAULT_PIDLOG="logs/httpd.pid"
>> >>  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>> >>  -D DEFAULT_ERRORLOG="logs/error_log"
>> >>  -D AP_TYPES_CONFIG_FILE="conf/mime.types"
>> >>  -D SERVER_CONFIG_FILE="conf/httpd.conf"
>> >>
>> >>>> I built httpd-2.2.22 on a RHEL6.2 system with SSL enabled. Then I
>> >>>> made a
>> >>>> client
>> >>>> to create a connection to httpd but received a handshake failure
>> >>>> report.
>> >>>>
>> >>>> [...]
>> >>>>
>> >>>> When I connect the client to the server(RHEL6.2), there is no
>> >>>> access_log, no err_log,
>> >>>> nothing added in /var/log/messages, it's very weird.
>> >
>> >
>> > So you are saying that you have a file at
>> > /export/bench/benchmarks/apache2/conf/httpd.conf that contains all of
>> > the
>> > correct directives to configure SSL, logging, and appropriate virtual
>> > hosts?
>> >
>> > And you are saying that no logs are appearing at
>> > /export/bench/benchmarks/apache2/logs/error_log nor at the location that
>> > you
>> > specify in your ErrorLog directive in
>> > /export/bench/benchmarks/apache2/conf/httpd.conf ?
>> >
>> > In this case, what user are you starting httpd as?  What are the values
>> > for
>> > the User and Group directives in
>> > /export/bench/benchmarks/apache2/conf/httpd.conf ? Do that user and
>> > group
>> > have write access to the place you are telling this version of httpd to
>> > write its error logs?
>> >
>> > Is this system running any Mandatory Access Control system such as
>> > SELinux,
>> > AppArmor, Tomoyo, or grsecurity that could be interferring with what
>> > this
>> > version of httpd is trying to do or where it is trying to do it?   If
>> > so,
>> > then check the log files for the Mandatory Access Control system that
>> > you
>> > are running to find out what the problem is.
>> >
>> > Hopefully other people on this list will have additional, and better,
>> > suggestions of things to check.
>> >
>> > --
>> >  Mark Montague
>> >  mark@xxxxxxxxxxx
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux