8

I followed section 1B of this guide to create a certificate and sign it on my own and set up Apache to use that certificate, but whenever I try to view my website securely, Firefox spits out this error:

Secure Connection Failed

An error occurred during a connection to animuson.com.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

I tried it with 4096 first. Then, instead of using the 4096 that is in the guide, I used 1028 instead (which I thought was the normal size to use). I'm using APache2 on CentOS 5...

From "/etc/httpd/conf/extra/httpd-ssl.conf" (compressed together, of course):

Listen 443
SSLEngine On
SSLCertificateFile "/etc/httpd/conf/ssl/server.crt"
SSLCertificateKeyFile "/etc/httpd/conf/ssl/server.key"

Any ideas?

EDIT

I moved the miles from their default ssl.key and ssl.crt directories and I did something else that I don't remember, which seemed to work. It started showing the 'Add Exception' page and I installed by root certificate to my brower, now it displays the following error:

Secure Connection Failed

An error occurred during a connection to animuson.com.

SSL peer was unable to negotiate an acceptable set of security parameters.

(Error code: ssl_error_handshake_failure_alert)

I don't have any idea what this means or what information you might need to help me out with it.

animuson
  • 279
  • 1
  • 6
  • 20
  • Might have been easier this if you hadn't compressed your configuration. Do you have VirtualHost setup covering :443? – andol Jul 02 '10 at 18:59
  • You might be doing http on the https port. Check with nc or telnet. – Tobu Jul 02 '10 at 21:28
  • Got anything else going on in your config SSL-wise? This message comes from SSL_ERROR_HANDSHAKE_FAILURE_ALERT (as seen with `openssl s_client -connect [...]`). Have you got `SSLVerifyClient`, something funky with `SSLCipherSuite`, etc? – medina Jul 02 '10 at 21:52

2 Answers2

5

Great! So just to be clear, you were at the point where the error was SSL_ERROR_HANDSHAKE_FAILURE_ALERT. One nice way to investigate is with

openssl s_client -state -debug -showcerts -verify 0 -connect example.com:443

(and all sorts of useful options) and you were helpful enough to have provided the actual server name.

Handshake error is caused by, well, an error during the SSL / TLS handshake. We got the certificate just fine, which led me to assume that the problem was either something failing in response to CertificateRequest from the server, or something funky with the cipher suite. The latter problem has its own set of error messages now that I think about it more. Firefox's NSS and SSL Error Codes is handy here.

SSLVerifyClient require in the Apache configuration will indeed require that the client present a valid certificate to authenticate to the server, which was the problem as you confirm.

medina
  • 1,970
  • 10
  • 7
  • Thanks to @medina above, for some reason SSLVerifyClient was set to require instead of none (default). I just commented out the line and it started working. I'm not at all experienced with the OpenSSL stuff so I didn't know what settings to even look at for this. Thanks again. :) – animuson Jul 02 '10 at 22:09
1

web server is likely requiring client to authenticate...in apache server it is in httpd.conf...."SSLVerifyClient require" this requires you to have a "Your Certificate" loaded in Firefox...AND the CA certificate chains loaded as well.

the problem is that the Personal or CA Server certificates

might not be tied across the CA chains. might be expired. might be corrupted.

try to reimport the personal certificate reimport all CA referenced in the personal certificate

HOWTO Tools,Options,Encryption,View Certificates Your Certificates....Import your certificate from PKCS12 file *.p12 Servers, Import, certifiate files *.cer you may need several of these depending on the chain