SSL peer was unable to negotiate an acceptable set of security parameters

apache-2.2 ssl ssl-certificate httpd centos

I followed section 1B of this guide to create a certificate and sign it on my own and set up Apache to use that certificate, but whenever I try to view my website securely, Firefox spits out this error:

Secure Connection Failed

An error occurred during a connection to animuson.com.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

I tried it with 4096 first. Then, instead of using the 4096 that is in the guide, I used 1028 instead (which I thought was the normal size to use). I'm using APache2 on CentOS 5...

From "/etc/httpd/conf/extra/httpd-ssl.conf" (compressed together, of course):

Listen 443
SSLEngine On
SSLCertificateFile "/etc/httpd/conf/ssl/server.crt"
SSLCertificateKeyFile "/etc/httpd/conf/ssl/server.key"

Any ideas?

EDIT

I moved the miles from their default ssl.key and ssl.crt directories and I did something else that I don't remember, which seemed to work. It started showing the 'Add Exception' page and I installed by root certificate to my brower, now it displays the following error:

Secure Connection Failed

An error occurred during a connection to animuson.com.

SSL peer was unable to negotiate an acceptable set of security parameters.

(Error code: ssl_error_handshake_failure_alert)

I don't have any idea what this means or what information you might need to help me out with it.


Solution 1:

Great! So just to be clear, you were at the point where the error was SSL_ERROR_HANDSHAKE_FAILURE_ALERT. One nice way to investigate is with

openssl s_client -state -debug -showcerts -verify 0 -connect example.com:443

(and all sorts of useful options) and you were helpful enough to have provided the actual server name.

Handshake error is caused by, well, an error during the SSL / TLS handshake. We got the certificate just fine, which led me to assume that the problem was either something failing in response to CertificateRequest from the server, or something funky with the cipher suite. The latter problem has its own set of error messages now that I think about it more. Firefox's NSS and SSL Error Codes is handy here.

SSLVerifyClient require in the Apache configuration will indeed require that the client present a valid certificate to authenticate to the server, which was the problem as you confirm.

Solution 2:

web server is likely requiring client to authenticate...in apache server it is in httpd.conf...."SSLVerifyClient require" this requires you to have a "Your Certificate" loaded in Firefox...AND the CA certificate chains loaded as well.

the problem is that the Personal or CA Server certificates

might not be tied across the CA chains. might be expired. might be corrupted.

try to reimport the personal certificate reimport all CA referenced in the personal certificate

HOWTO Tools,Options,Encryption,View Certificates Your Certificates....Import your certificate from PKCS12 file *.p12 Servers, Import, certifiate files *.cer you may need several of these depending on the chain

Related

Zone transfers on a split-view Bind DNS system
Stdout/stderr redirects in start-stop-daemon
HP access points sending out multicast packets from IPs that aren't their own
Load Balancing long running TCP connections
What's the purpose of kslowd?
Does enabling hardware x86 virtualization (AMD-V or Intel VT-x) slow down my computer if I'm not running virtual machines?
How to make a Linux software RAID1 detect disc corruption?
How can I execute Ruby scripts via Apache (not necessarily using Rails)?
Windows 7 network performance tuning for LAN
Firewall still blocking port 53 despite listing otherwise?
New network design from a noob. VLANS, IP's, hardware, etc. Any comments please
Moving ESXi installation to USB key