当我尝试在我的机器上访问我的网站时,我收到Firefox中标题中提到的错误。 这是我得到的错误:
An error occurred during a connection to www.st.um. SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert) 这是我的虚拟主机configuration:
<VirtualHost *:443> ServerAdmin [email protected] ServerName www.st.um DocumentRoot /var/www/web <Directory /var/www/web> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> SSLEngine on SSLCertificateFile /usr/lib/ssl/demoCA/servercert.pem SSLCertificateKeyFile /usr/lib/ssl/demoCA/serverkey.pem SSLCACertificateFile /usr/lib/ssl/demoCA/stcert.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown SSLVerifyClient require SSLVerifyDepth 10 </VirtualHost>
证书“servercert.pem”使用我的CA进行authentication:“stcert.pem”,我可以完美地使用“servercert.pem”证书和“serverkey.pem”这个密钥来访问s_server作为服务器, CA在Web浏览器的权限列表中导入并信任:
openssl s_server -cert servercert.pem -key serverkey.pem -www
我还可以使用从“clientcert.pem”证书生成的“clientkey.pem”密钥生成的PKCS#12文件作为客户端访问我的网站。
我在/etc/log/apache2/error.log中唯一的是:
[Sat May 25 02:44:11 2013] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.6 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- resuming normal operations
我编辑了我的虚拟主机configuration,并删除:
SSLVerifyClient require SSLVerifyDepth 10
现在它正在为服务器端身份validation工作。 “SSLVerifyClient require”指令覆盖以下行:
SSLCertificateFile /usr/lib/ssl/demoCA/servercert.pem SSLCertificateKeyFile /usr/lib/ssl/demoCA/serverkey.pem SSLCACertificateFile /usr/lib/ssl/demoCA/stcert.pem
这就是问题所在。 “SSLVerifyClient require”指令用于客户端authentication,它使得openSSL始终需要来自客户端的证书。