Here follows a simple full server SSL setup for reference.
----------------------------------------------------------
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex default
SSLCertificateFile conf/ssl/www.yourdomain.com.crt
SSLCertificateKeyFile conf/ssl/www.yourdomain.com.key
SSLCACertificatePath conf/ssl
SSLCACertificateFile conf/ssl/YourCA.crt
SSLCARevocationFile conf/ssl/YourCA.crl
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 1
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
----------------------------------------------------------
This will allow connections with SSLv3 and TLSv1 from clients
with proper certificates.
To skip client auth just remove these two lines:
----------------------------------------------------------
SSLVerifyClient require
SSLVerifyDepth 1
----------------------------------------------------------
Hope that was helpful.
/Daniel, Gizmondo Studios
----- Original Message -----
From: "Alaka Pathy" <[EMAIL PROTECTED]>
To: <modssl-users@modssl.org>
Sent: Tuesday, May 31, 2005 9:44 AM
Subject: Getting 'no shared ciphers' while connecting to the server
> Hi All,
>
> I'm using Apache 1.3.31 with mod_ssl 2.8.17 and
> OpenSSL 0.9.7d binaries. I use RSA based self signed
> certificates for SSL communication.
> My httpd.conf has the following SSLCipherSuite
> configured
>
> SSLSessionCacheTimeout 600
> SSLOptions +StdEnvVars +ExportCertData
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> But, in a freshly installed server, the server doesn't
> accept any requests and I get the following errors
> repeatedly in the Apache error log
>
> mod_ssl: SSL handshake failed (server
> 198.149.32.40:443, client 198.149.32.32) (OpenSSL
> library error follows)
> [Mon May 23 13:37:43 2005] [error] OpenSSL:
> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
> shared cipher
> [Hint: Too restrictive SSLCipherSuite or using DSA
> server certificate?]
>
> I browsed the modssl FAQ and got, that sometimes
> regenerating certificates helps. I regenerated the
> server certificates, but I'm still facing the same
> issue.
>
> Has anybody experienced such an error ? Any help is
> appreciated.
>
> Thanks in advance,
> -Alaka
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
