SSL 无法握手
在严格遵循 SSL 证书颁发机构文档后,我很难解决此错误的原因。当通过 HTTPS 访问我的网站时,Firefox 会抛出以下错误:
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)
我返回并在 SSL 错误日志中发现了以下错误(域被故意修改):
[Mon May 09 02:11:05 2011] [warn] RSA server certificate wildcard CommonName (CN) `*.domain.com' does NOT match server name!?
服务器名称在哪里定义?我在 httpd-ssl.conf 文件中找不到合理的解释来解决此错误。感谢您的帮助!
更新终于解决了问题,详情如下:
不幸的是它是由我的 Apache 发行版中的默认值创建的。选项:
SSLVerifyClient require
实际上需要设置为:
SSLVerifyClient optional
我还没有颁发客户端证书。然而,信用是由于缩小问题的答案而产生的。我很感激你的帮助!
After strictly following the SSL certificate authority documentation, I'm stumped to solve the reason for this error. When accessing my website via HTTPS Firefox spits out the following error:
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)
I went back and found this in the SSL error log (domain was modified on purpose):
[Mon May 09 02:11:05 2011] [warn] RSA server certificate wildcard CommonName (CN) `*.domain.com' does NOT match server name!?
Where is the server name defined? I can't find a reasonable explanation in my httpd-ssl.conf file to solve this error. Thanks for your help!
Update Finally solved the problem, detailed below:
Unfortunately it was created by a default value in my Apache distribution. The option:
SSLVerifyClient require
Actually needed to be set as:
SSLVerifyClient optional
I'm not issuing client certs just yet. However credit is due to the answers for narrowing the problem. I appreciate the help!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
日志文件中的这一行稍后可能很重要,但这只是一个[警告],而不是handshake_failure的含义。 Handshake_failure 意味着无法协商密码套件 - 客户端和服务器均不支持任何密码套件。查看您的服务器支持哪些密码。
编辑:我总是忘记,如果客户端未能提供所需的证书,也会导致握手失败(第 7.4.6 节)。
That line in your logfile might matter later, but it's only a [warn] and it's not what handshake_failure means. Handshake_failure means that a cipher suite could not be negotiated -- no cipher suite is supported by both client and server. Look at what ciphers are supported by your server.
Edit: I always forget that if a client fails to provide a required certificate, that also results in handshake_failure (section 7.4.6).
SSL 将 CommonName 与您实际尝试连接的服务器的名称进行比较。
您可能正在使用替代名称,例如“localhost”或 IP 地址。
SSL compares the CommonName with the name of the server you actually try to connect to.
Possibly you are using an alternative name like 'localhost' or an IP Adress.
解决了这个问题,不幸的是它是由我的 Apache 发行版中的默认值创建的。选项:
实际上需要设置为:
我还没有颁发客户端证书。然而,信用是由于缩小问题的答案而产生的。我很感激你的帮助!
Solved the problem, and unfortunately it was created by a default value in my Apache distribution. The option:
Actually needed to be set as:
I'm not issuing client certs just yet. However credit is due to the answers for narrowing the problem. I appreciate the help!