You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Ricardo Stella <st...@rider.edu> on 2010/11/15 15:43:26 UTC

[users@httpd] ssl_error_rx_unexpected_server_key_exch

Hello,

We're getting these errors on some of our web servers (different
instances running on different ports) being detected by Firefox 3.6.9+

This happens after about a week of normal use.  A restart temporarily
fixes the problem, but we have not been able to find a solution from the
server side.

Tried different iterations of the SSLProtocol and SSLCipherSuite but not
able to get to one that works.  I've posted and got no answers back. 
Supposedly the problem is Firefox does not like SSL DHE cipher suites,
however there's no documentation on how to 'fix it' from the server side.

Currently, I have the following (and still doesn't work):

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!kEDH:+HIGH:!MEDIUM

Thank you.




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] ssl_error_rx_unexpected_server_key_exch

Posted by Plot Lost <pl...@gmail.com>.

On Mon, Nov 15, 2010 at 6:43 PM, Ricardo Stella <st...@rider.edu> wrote:

>
> Hello,
>
> We're getting these errors on some of our web servers (different
> instances running on different ports) being detected by Firefox 3.6.9+
>
> This happens after about a week of normal use.  A restart temporarily
> fixes the problem, but we have not been able to find a solution from the
> server side.
>
> Tried different iterations of the SSLProtocol and SSLCipherSuite but not
> able to get to one that works.  I've posted and got no answers back.
> Supposedly the problem is Firefox does not like SSL DHE cipher suites,
> however there's no documentation on how to 'fix it' from the server side.
>
> Currently, I have the following (and still doesn't work):
>
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!kEDH:+HIGH:!MEDIUM
>
> Thank you.
>
Not sure if this will help with what you are seeing, but I used the info
available here to setup the SSLCipherSuite etc settings:

http://journal.paul.querna.org/articles/2010/07/10/overclocking-mod_ssl/

In particular this might be of some use

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder

The settings I use are:

SSLProtocol TLSv1 SSLv3
SSLCipherSuite RC4-SHA:AES256-SHA:ALL:!ADH:!MD5:!EXP:!LOW:!NULL
SSLHonorCipherOrder on
and have not seen any problems with Firefox (or any other browser) so far...