当我尝试在我的计算机上访问我的网站时,我在 Firefox 中遇到了标题中提到的错误。这是我遇到的错误:
An error occurred during a connection to www.st.um.
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)
这是我的虚拟主机配置:
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName www.st.um
DocumentRoot /var/www/web
<Directory /var/www/web>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
SSLEngine on
SSLCertificateFile /usr/lib/ssl/demoCA/servercert.pem
SSLCertificateKeyFile /usr/lib/ssl/demoCA/serverkey.pem
SSLCACertificateFile /usr/lib/ssl/demoCA/stcert.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
SSLVerifyClient require
SSLVerifyDepth 10
</VirtualHost>
证书“servercert.pem”是使用我的 CA:“stcert.pem”认证的,我可以使用证书“servercert.pem”和密钥“serverkey.pem”完美地访问 s_server 作为服务器,并将我的 CA 导入并信任在 Web 浏览器的颁发机构列表中:
openssl s_server -cert servercert.pem -key serverkey.pem -www
我还可以使用由证书“clientcert.pem”及其密钥“clientkey.pem”生成的 PKCS#12 文件作为客户端访问我的网站。
/etc/log/apache2/error.log 中唯一有的是:
[Sat May 25 02:44:11 2013] [notice] Apache/2.2.22 (Ubuntu)
PHP/5.3.10-1ubuntu3.6 with Suhosin-Patch mod_ssl/2.2.22
OpenSSL/1.0.1 configured -- resuming normal operations
答案1
我编辑了我的虚拟主机配置并删除了:
SSLVerifyClient require
SSLVerifyDepth 10
现在它已可用于服务器端身份验证。“SSLVerifyClient require”指令覆盖了以下行:
SSLCertificateFile /usr/lib/ssl/demoCA/servercert.pem
SSLCertificateKeyFile /usr/lib/ssl/demoCA/serverkey.pem
SSLCACertificateFile /usr/lib/ssl/demoCA/stcert.pem
这就是问题所在。“SSLVerifyClient require”指令用于客户端身份验证,它使 openSSL 始终需要来自客户端的证书。