Getting 'no shared ciphers' while connecting to the server
Hi All, I'm using Apache 1.3.31 with mod_ssl 2.8.17 and OpenSSL 0.9.7d binaries. I use RSA based self signed certificates for SSL communication. My httpd.conf has the following SSLCipherSuite configured SSLSessionCacheTimeout 600 SSLOptions +StdEnvVars +ExportCertData SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL But, in a freshly installed server, the server doesn't accept any requests and I get the following errors repeatedly in the Apache error log mod_ssl: SSL handshake failed (server 198.149.32.40:443, client 198.149.32.32) (OpenSSL library error follows) [Mon May 23 13:37:43 2005] [error] OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrictive SSLCipherSuite or using DSA server certificate?] I browsed the modssl FAQ and got, that sometimes regenerating certificates helps. I regenerated the server certificates, but I'm still facing the same issue. Has anybody experienced such an error ? Any help is appreciated. Thanks in advance, -Alaka __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Getting 'no shared ciphers' while connecting to the server
Here follows a simple full server SSL setup for reference. -- SSLRandomSeed startup builtin SSLRandomSeed connect builtin AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex default SSLCertificateFile conf/ssl/www.yourdomain.com.crt SSLCertificateKeyFile conf/ssl/www.yourdomain.com.key SSLCACertificatePath conf/ssl SSLCACertificateFile conf/ssl/YourCA.crt SSLCARevocationFile conf/ssl/YourCA.crl SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLEngine on SSLVerifyClient require SSLVerifyDepth 1 SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 -- This will allow connections with SSLv3 and TLSv1 from clients with proper certificates. To skip client auth just remove these two lines: -- SSLVerifyClient require SSLVerifyDepth 1 -- Hope that was helpful. /Daniel, Gizmondo Studios - Original Message - From: Alaka Pathy [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Tuesday, May 31, 2005 9:44 AM Subject: Getting 'no shared ciphers' while connecting to the server Hi All, I'm using Apache 1.3.31 with mod_ssl 2.8.17 and OpenSSL 0.9.7d binaries. I use RSA based self signed certificates for SSL communication. My httpd.conf has the following SSLCipherSuite configured SSLSessionCacheTimeout 600 SSLOptions +StdEnvVars +ExportCertData SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL But, in a freshly installed server, the server doesn't accept any requests and I get the following errors repeatedly in the Apache error log mod_ssl: SSL handshake failed (server 198.149.32.40:443, client 198.149.32.32) (OpenSSL library error follows) [Mon May 23 13:37:43 2005] [error] OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrictive SSLCipherSuite or using DSA server certificate?] I browsed the modssl FAQ and got, that sometimes regenerating certificates helps. I regenerated the server certificates, but I'm still facing the same issue. Has anybody experienced such an error ? Any help is appreciated. Thanks in advance, -Alaka __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Getting 'no shared ciphers' while connecting to the server
Hi Daniel, I have the SSL setup already as you have mentioned except these two lines. SSLVerifyClient require SSLVerifyDepth 1 And moreover this erros I'm seeing in only one server. In all other servers, this works perfectly fine. Do I need to look for any machine specific things, that could be causing the problem. As of now, the problem has been seen only in this configuration: Windows 2000 Professional with Service Pack 3. Any ideas ? Thanks, -Alaka --- Daniel Kimblad [EMAIL PROTECTED] wrote: Here follows a simple full server SSL setup for reference. -- SSLRandomSeed startup builtin SSLRandomSeed connect builtin AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex default SSLCertificateFile conf/ssl/www.yourdomain.com.crt SSLCertificateKeyFile conf/ssl/www.yourdomain.com.key SSLCACertificatePath conf/ssl SSLCACertificateFile conf/ssl/YourCA.crt SSLCARevocationFile conf/ssl/YourCA.crl SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLEngine on SSLVerifyClient require SSLVerifyDepth 1 SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 -- This will allow connections with SSLv3 and TLSv1 from clients with proper certificates. To skip client auth just remove these two lines: -- SSLVerifyClient require SSLVerifyDepth 1 -- Hope that was helpful. /Daniel, Gizmondo Studios - Original Message - From: Alaka Pathy [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Tuesday, May 31, 2005 9:44 AM Subject: Getting 'no shared ciphers' while connecting to the server Hi All, I'm using Apache 1.3.31 with mod_ssl 2.8.17 and OpenSSL 0.9.7d binaries. I use RSA based self signed certificates for SSL communication. My httpd.conf has the following SSLCipherSuite configured SSLSessionCacheTimeout 600 SSLOptions +StdEnvVars +ExportCertData SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL But, in a freshly installed server, the server doesn't accept any requests and I get the following errors repeatedly in the Apache error log mod_ssl: SSL handshake failed (server 198.149.32.40:443, client 198.149.32.32) (OpenSSL library error follows) [Mon May 23 13:37:43 2005] [error] OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrictive SSLCipherSuite or using DSA server certificate?] I browsed the modssl FAQ and got, that sometimes regenerating certificates helps. I regenerated the server certificates, but I'm still facing the same issue. Has anybody experienced such an error ? Any help is appreciated. Thanks in advance, -Alaka __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Small Business - Try our new Resources site http://smallbusiness.yahoo.com/resources/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
SSLCertificateFile: file server.crt does not exist or empty
I am hosting Apache Web Server on Red Hat Enterprise (RHEL4). The apache rpm is httpd-2.0.52-9.ent Now when I have default-site SSL-Enabled(default virtual host), I get the following error on restart: 1. [EMAIL PROTECTED] ~]# /etc/init.d/httpd restart Stopping httpd: [FAILED] [Wed May 25 14:39:17 2005] [warn] _default_ VirtualHost overlap on port 443, the first has precedence (98)Address already in use: make_sock: could not bind to address [::]:443 no listening sockets available, shutting down Unable to open logs [FAILED] 2. When I add a ssl-enabled virtual-host, I get the following error on restart: [EMAIL PROTECTED] ~]# /etc/init.d/httpd restart Stopping httpd: [FAILED] Starting httpd: [Wed May 25 14:41:23 2005] [warn] module ssl_module is already loaded, skipping [Wed May 25 14:41:24 2005] [warn] module ssl_module is already loaded, skipping Warning: DocumentRoot [/home/vh/sslsite1] does not exist Syntax error on line 232 of /etc/httpd/conf/httpd.conf: SSLCertificateFile: file '/home/vh/sslsite1/server.crt' does not exist or is empty [FAILED] Any idea on the above problem will be most welcome... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateFile: file server.crt does not exist or empty
On Tue, May 31, 2005 at 05:10:27AM -0700, Bibhash Roy wrote: I am hosting Apache Web Server on Red Hat Enterprise (RHEL4). The apache rpm is httpd-2.0.52-9.ent ... 2. When I add a ssl-enabled virtual-host, I get the following error on restart: [EMAIL PROTECTED] ~]# /etc/init.d/httpd restart Stopping httpd: [FAILED] Starting httpd: [Wed May 25 14:41:23 2005] [warn] module ssl_module is already loaded, skipping [Wed May 25 14:41:24 2005] [warn] module ssl_module is already loaded, skipping Warning: DocumentRoot [/home/vh/sslsite1] does not exist Syntax error on line 232 of /etc/httpd/conf/httpd.conf: SSLCertificateFile: file '/home/vh/sslsite1/server.crt' does not exist or is empty [FAILED] You can get this type of error if you have SELinux enabled - check /var/log/message to see if there is an avc denial message for this file. You'll need to label the certificates correctly if you want to keep SELinux enabled, e.g. # chcon user_u:object_r:httpd_config_t /home/vh/sslsite1/server.crt See: http://fedora.redhat.com/docs/selinux-faq-fc3/ http://fedora.redhat.com/docs/selinux-apache-fc3/ for more details about SELinux and Apache. joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]