You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ke...@infoimageinc.com on 2010/04/14 01:31:29 UTC
[users@httpd] Re-negotiation handshake failed
Greeting!
I'm having a problem on setting up client certificate on my test site on
Apache 2.2.15/OpenSSL 0.9.8m on Windows XP. I followed the "How-To"
articles on mod_ssl (http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html).
When I browse the site, I got the following error message in the log:
Re-negotiation handshake failed: Not accepted by client!?
I read through the documentation. I tried to turn
SSLInsecureRenegotiation on and off, but no luck. I attached the
configuration of my virtual host, hoping that you would point out anything
that I've missed. Oh, when I said that the site wasn't working, I was
referring to my browser, which displays an error page with the code:
ssl_error_handshake_failure_alert, instead of asking me for a certificate.
Thanks,
Kenneth Yeung
<VirtualHost *:10991>
ServerAdmin mysite@mycompany.com
DocumentRoot "C:/hosts-static/mysite/ROOT"
ServerName mysite.mycompany.com
ErrorLog "C:/hosts-static/mysite/log/ROOT-error.log"
CustomLog "C:/hosts-static/mysite/log/ROOT-access.log" common
SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile "C:/Apache2.2/conf/ssl.crt/mysite.crt"
SSLCertificateKeyFile "C:/Apache2.2/conf/ssl.crt/mysite.key"
SSLInsecureRenegotiation on
<Directory C:/hosts-static/mysite/ROOT>
Order deny,allow
Allow from all
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile
"C:/Apache2.2/conf/ssl.crt/self_signed_ca.crt"
</Directory>
</VirtualHost>
Re: [users@httpd] Re-negotiation handshake failed
Posted by Ke...@infoimageinc.com.
I'm using https.
Thanks,
Kenneth Yeung
Justin Pasher <ju...@newmediagateway.com>
04/15/2010 07:32 AM
Please respond to
users@httpd.apache.org
To
users@httpd.apache.org
cc
Subject
Re: [users@httpd] Re-negotiation handshake failed
KennethYeung@infoimageinc.com wrote:
> Re-negotiation handshake failed: Not accepted by client!?
>
> I read through the documentation. I tried to turn
> SSLInsecureRenegotiation on and off, but no luck. I attached the
> configuration of my virtual host, hoping that you would point out
> anything that I've missed. Oh, when I said that the site wasn't
> working, I was referring to my browser, which displays an error page
> with the code: ssl_error_handshake_failure_alert, instead of asking me
> for a certificate.
>
> <VirtualHost *:10991>
> ...
> </VirtualHost>
Wild guess. Since you are running your VirtualHost on a non-standard SSL
port, are you sure you are trying to access the site using https in the
URL?
e.g.
https://www.example.com:10991/
and not
http://www.example.com:10991/
and not just
www.example.com:10991
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re-negotiation handshake failed
Posted by Justin Pasher <ju...@newmediagateway.com>.
KennethYeung@infoimageinc.com wrote:
> Re-negotiation handshake failed: Not accepted by client!?
>
> I read through the documentation. I tried to turn
> SSLInsecureRenegotiation on and off, but no luck. I attached the
> configuration of my virtual host, hoping that you would point out
> anything that I've missed. Oh, when I said that the site wasn't
> working, I was referring to my browser, which displays an error page
> with the code: ssl_error_handshake_failure_alert, instead of asking me
> for a certificate.
>
> <VirtualHost *:10991>
> ...
> </VirtualHost>
Wild guess. Since you are running your VirtualHost on a non-standard SSL
port, are you sure you are trying to access the site using https in the URL?
e.g.
https://www.example.com:10991/
and not
http://www.example.com:10991/
and not just
www.example.com:10991
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re-negotiation handshake failed
Posted by Serge Dubrouski <se...@gmail.com>.
The window would pop-up if you had several certs installed in your browser
that could satisfy server's request. Since you have just one cert installed
browser sends it by default.
On Thu, Apr 15, 2010 at 12:27 PM, <Ke...@infoimageinc.com> wrote:
>
> After I installed a certificate on my browser (tested on both IE and
> Firefox), I was able to access the site with client authentication. I was
> expecting my browser to pop up a dialog and ask me for a certificate.
> However, it seems like the browser won't do so if I have no certificate
> installed on my browser. Anyway, thanks for your help.
>
> Kenneth Yeung
>
>
>
> *Serge Dubrouski <se...@gmail.com>*
>
> 04/15/2010 09:44 AM
> Please respond to
> users@httpd.apache.org
>
> To
> users@httpd.apache.org
> cc
> Subject
> Re: [users@httpd] Re-negotiation handshake failed
>
>
>
>
> This message is normal. It says that server expected user certificate
> but it wasn't presented by browser.
>
> On Tue, Apr 13, 2010 at 5:31 PM, <Ke...@infoimageinc.com> wrote:
> >
> > Greeting!
> >
> > I'm having a problem on setting up client certificate on my test site on
> > Apache 2.2.15/OpenSSL 0.9.8m on Windows XP. I followed the "How-To"
> > articles on mod_ssl (http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
> ).
> > When I browse the site, I got the following error message in the log:
> >
> > Re-negotiation handshake failed: Not accepted by client!?
> >
> > I read through the documentation. I tried to turn
> SSLInsecureRenegotiation
> > on and off, but no luck. I attached the configuration of my virtual
> host,
> > hoping that you would point out anything that I've missed. Oh, when I
> said
> > that the site wasn't working, I was referring to my browser, which
> displays
> > an error page with the code: ssl_error_handshake_failure_alert, instead
> of
> > asking me for a certificate.
> >
> > Thanks,
> >
> > Kenneth Yeung
> >
> >
> > <VirtualHost *:10991>
> > ServerAdmin mysite@mycompany.com
> > DocumentRoot "C:/hosts-static/mysite/ROOT"
> > ServerName mysite.mycompany.com
> > ErrorLog "C:/hosts-static/mysite/log/ROOT-error.log"
> > CustomLog "C:/hosts-static/mysite/log/ROOT-access.log" common
> >
> > SSLEngine on
> > SSLCipherSuite HIGH:MEDIUM
> > SSLCertificateFile "C:/Apache2.2/conf/ssl.crt/mysite.crt"
> > SSLCertificateKeyFile "C:/Apache2.2/conf/ssl.crt/mysite.key"
> >
> > SSLInsecureRenegotiation on
> >
> > <Directory C:/hosts-static/mysite/ROOT>
> > Order deny,allow
> > Allow from all
> >
> > SSLVerifyClient require
> > SSLVerifyDepth 1
> > SSLCACertificateFile
> "C:/Apache2.2/conf/ssl.crt/self_signed_ca.crt"
> >
> > </Directory>
> >
> > </VirtualHost>
>
>
>
> --
> Serge Dubrouski.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
--
Serge Dubrouski.
Re: [users@httpd] Re-negotiation handshake failed
Posted by Ke...@infoimageinc.com.
After I installed a certificate on my browser (tested on both IE and
Firefox), I was able to access the site with client authentication. I was
expecting my browser to pop up a dialog and ask me for a certificate.
However, it seems like the browser won't do so if I have no certificate
installed on my browser. Anyway, thanks for your help.
Kenneth Yeung
Serge Dubrouski <se...@gmail.com>
04/15/2010 09:44 AM
Please respond to
users@httpd.apache.org
To
users@httpd.apache.org
cc
Subject
Re: [users@httpd] Re-negotiation handshake failed
This message is normal. It says that server expected user certificate
but it wasn't presented by browser.
On Tue, Apr 13, 2010 at 5:31 PM, <Ke...@infoimageinc.com> wrote:
>
> Greeting!
>
> I'm having a problem on setting up client certificate on my test site on
> Apache 2.2.15/OpenSSL 0.9.8m on Windows XP. I followed the "How-To"
> articles on mod_ssl (http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
).
> When I browse the site, I got the following error message in the log:
>
> Re-negotiation handshake failed: Not accepted by client!?
>
> I read through the documentation. I tried to turn
SSLInsecureRenegotiation
> on and off, but no luck. I attached the configuration of my virtual
host,
> hoping that you would point out anything that I've missed. Oh, when I
said
> that the site wasn't working, I was referring to my browser, which
displays
> an error page with the code: ssl_error_handshake_failure_alert, instead
of
> asking me for a certificate.
>
> Thanks,
>
> Kenneth Yeung
>
>
> <VirtualHost *:10991>
> ServerAdmin mysite@mycompany.com
> DocumentRoot "C:/hosts-static/mysite/ROOT"
> ServerName mysite.mycompany.com
> ErrorLog "C:/hosts-static/mysite/log/ROOT-error.log"
> CustomLog "C:/hosts-static/mysite/log/ROOT-access.log" common
>
> SSLEngine on
> SSLCipherSuite HIGH:MEDIUM
> SSLCertificateFile "C:/Apache2.2/conf/ssl.crt/mysite.crt"
> SSLCertificateKeyFile "C:/Apache2.2/conf/ssl.crt/mysite.key"
>
> SSLInsecureRenegotiation on
>
> <Directory C:/hosts-static/mysite/ROOT>
> Order deny,allow
> Allow from all
>
> SSLVerifyClient require
> SSLVerifyDepth 1
> SSLCACertificateFile
"C:/Apache2.2/conf/ssl.crt/self_signed_ca.crt"
>
> </Directory>
>
> </VirtualHost>
--
Serge Dubrouski.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re-negotiation handshake failed
Posted by Serge Dubrouski <se...@gmail.com>.
This message is normal. It says that server expected user certificate
but it wasn't presented by browser.
On Tue, Apr 13, 2010 at 5:31 PM, <Ke...@infoimageinc.com> wrote:
>
> Greeting!
>
> I'm having a problem on setting up client certificate on my test site on
> Apache 2.2.15/OpenSSL 0.9.8m on Windows XP. I followed the "How-To"
> articles on mod_ssl (http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html).
> When I browse the site, I got the following error message in the log:
>
> Re-negotiation handshake failed: Not accepted by client!?
>
> I read through the documentation. I tried to turn SSLInsecureRenegotiation
> on and off, but no luck. I attached the configuration of my virtual host,
> hoping that you would point out anything that I've missed. Oh, when I said
> that the site wasn't working, I was referring to my browser, which displays
> an error page with the code: ssl_error_handshake_failure_alert, instead of
> asking me for a certificate.
>
> Thanks,
>
> Kenneth Yeung
>
>
> <VirtualHost *:10991>
> ServerAdmin mysite@mycompany.com
> DocumentRoot "C:/hosts-static/mysite/ROOT"
> ServerName mysite.mycompany.com
> ErrorLog "C:/hosts-static/mysite/log/ROOT-error.log"
> CustomLog "C:/hosts-static/mysite/log/ROOT-access.log" common
>
> SSLEngine on
> SSLCipherSuite HIGH:MEDIUM
> SSLCertificateFile "C:/Apache2.2/conf/ssl.crt/mysite.crt"
> SSLCertificateKeyFile "C:/Apache2.2/conf/ssl.crt/mysite.key"
>
> SSLInsecureRenegotiation on
>
> <Directory C:/hosts-static/mysite/ROOT>
> Order deny,allow
> Allow from all
>
> SSLVerifyClient require
> SSLVerifyDepth 1
> SSLCACertificateFile "C:/Apache2.2/conf/ssl.crt/self_signed_ca.crt"
>
> </Directory>
>
> </VirtualHost>
--
Serge Dubrouski.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org