Hi Daniel, I have the SSL setup already as you have mentioned except these two lines.
SSLVerifyClient require SSLVerifyDepth 1 And moreover this erros I'm seeing in only one server. In all other servers, this works perfectly fine. Do I need to look for any machine specific things, that could be causing the problem. As of now, the problem has been seen only in this configuration: Windows 2000 Professional with Service Pack 3. Any ideas ? Thanks, -Alaka --- Daniel Kimblad <[EMAIL PROTECTED]> wrote: > Here follows a simple full server SSL setup for > reference. > ---------------------------------------------------------- > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin > > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > > SSLPassPhraseDialog builtin > SSLSessionCache dbm:logs/ssl_scache > SSLSessionCacheTimeout 300 > > SSLMutex default > > SSLCertificateFile conf/ssl/www.yourdomain.com.crt > SSLCertificateKeyFile > conf/ssl/www.yourdomain.com.key > > SSLCACertificatePath conf/ssl > SSLCACertificateFile conf/ssl/YourCA.crt > > SSLCARevocationFile conf/ssl/YourCA.crl > > SSLCipherSuite HIGH:MEDIUM > SSLProtocol all -SSLv2 > SSLEngine on > > SSLVerifyClient require > SSLVerifyDepth 1 > > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > ---------------------------------------------------------- > This will allow connections with SSLv3 and TLSv1 > from clients > with proper certificates. > To skip client auth just remove these two lines: > ---------------------------------------------------------- > > SSLVerifyClient require > SSLVerifyDepth 1 > > ---------------------------------------------------------- > Hope that was helpful. > > /Daniel, Gizmondo Studios > > > ----- Original Message ----- > From: "Alaka Pathy" <[EMAIL PROTECTED]> > To: <modssl-users@modssl.org> > Sent: Tuesday, May 31, 2005 9:44 AM > Subject: Getting 'no shared ciphers' while > connecting to the server > > > > Hi All, > > > > I'm using Apache 1.3.31 with mod_ssl 2.8.17 and > > OpenSSL 0.9.7d binaries. I use RSA based self > signed > > certificates for SSL communication. > > My httpd.conf has the following SSLCipherSuite > > configured > > > > SSLSessionCacheTimeout 600 > > SSLOptions +StdEnvVars +ExportCertData > > SSLCipherSuite > > > ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > > > But, in a freshly installed server, the server > doesn't > > accept any requests and I get the following errors > > repeatedly in the Apache error log > > > > mod_ssl: SSL handshake failed (server > > 198.149.32.40:443, client 198.149.32.32) (OpenSSL > > library error follows) > > [Mon May 23 13:37:43 2005] [error] OpenSSL: > > error:1408A0C1:SSL > routines:SSL3_GET_CLIENT_HELLO:no > > shared cipher > > [Hint: Too restrictive SSLCipherSuite or using DSA > > server certificate?] > > > > I browsed the modssl FAQ and got, that sometimes > > regenerating certificates helps. I regenerated the > > server certificates, but I'm still facing the same > > issue. > > > > Has anybody experienced such an error ? Any help > is > > appreciated. > > > > Thanks in advance, > > -Alaka > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > > ______________________________________________________________________ > > Apache Interface to OpenSSL (mod_ssl) > www.modssl.org > > User Support Mailing List > modssl-users@modssl.org > > Automated List Manager > [EMAIL PROTECTED] > > > > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) > www.modssl.org > User Support Mailing List > modssl-users@modssl.org > Automated List Manager > [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new Resources site http://smallbusiness.yahoo.com/resources/ ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
