Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "ScratchPad" page has been changed by TomasPospisek: http://wiki.apache.org/httpd/ScratchPad?action=diff&rev1=3&rev2=4 Comment: working on the "debugging SSL" article Unfortunately IE is not helpful at all in its failure mode. When something's wrong, it will not finalize the setup of the SSL connection and not display any useful error. FF instead will at least display a semi useful error. + + == Finding out what caused a handshake to fail == + + If client and server fail to setup an SSL communication channel between them, you'll see something like the following in apache's ssl log (see the paragraph on "SSL Error Loggin" on how to set it up): + + {{{ + [Thu Oct 06 16:39:06 2011] [debug] ssl_engine_kernel.c(1791): OpenSSL: Exit: error in SSLv3 read client certificate B + [Thu Oct 06 16:39:06 2011] [error] Re-negotiation handshake failed: Not accepted by client!? + }}} + + That is only half-way useful, since first it doesn't say what exactly was the reason that the client didn't accept the certificate and second in this specific case it's missleading, because in fact it was the server that told the client that id wouldn't accept the certificate that the client was presenting to it. + + A more specific reason for the communications breakdown can be found in the SSL protocol trace (see the "Debugging tools" section on how to do a trace). + + [[http://blogs.msdn.com/b/sudeepg/archive/2009/02/16/debugging-ssl-handshake-failure-using-network-monitor-a-scenario.aspx|This document]] explains how to dissect the handshake and how to find the relevant message containing the specific error code. Note that one doesn't need the Microsoft Network Monitor to do the message dissecting: Wireshark works equally well. + + The important thing to take away from the [[http://blogs.msdn.com/b/sudeepg/archive/2009/02/16/debugging-ssl-handshake-failure-using-network-monitor-a-scenario.aspx|the document]] is that SSL contains an alert protocol, that can be seen and found in the transmitted TCP packets of an SSL communication, that contains an error code specifying containing the reason why a communication failed to be set up. + + As you can see in the screenshot, the two bytes contained in the "Alert Message" contain the error code "2f", which can be looked up in the respective [[http://tools.ietf.org/html/rfc2246#section-7.2|rfc]]. In this case it's the code 47 (0x2f), which means "illegal_parameter" - there was some property of the certificate that the server (!) didn't like and refuses to accept. In our case the server was expecting a different issuer CN. + --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
