On 19/03/2019 13:40, Perrow, Graeme wrote: > TLS: error: accept - force handshake failure: errno 11 - moznss error -12162 > > TLS: can't accept: TLS error -12162:Unsupported hash algorithm used by TLS peer.. Just to confirm - you've not configured client authentication? Assuming not, the above error message from the server suggests that it doesn't like one of the signature algorithms sent through from the client in the ClientHello. At least I'm assuming that's the point at which it fails. You omitted most of the -debug output so its a little unclear exactly how far through the handshake it got before the failure occurred. If my assumption is right then it looks like the server may be behaving incorrectly. It isn't supposed to fail if it encounters a parameter it doesn't recognise - its just supposed to ignore it. To test the theory I suggest sending through the same list of signature algorithms in the same order that 1.0.2 sends them. You can do that using the "-sigalgs" parameter to s_client: openssl s_client -showcerts -host <host>:<port> -debug -sigalgs "RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1" Matt