Getting "no shared ciphers" while connecting to the server

Getting "no shared ciphers" while connecting to the server

am 31.05.2005 09:44:31 von Alaka Pathy

Hi All,
=20
I'm using Apache 1.3.31 with mod_ssl 2.8.17 and
OpenSSL 0.9.7d binaries. I use RSA based self signed
certificates for SSL communication.
My httpd.conf has the following SSLCipherSuite
configured
=20
SSLSessionCacheTimeout 600
SSLOptions +StdEnvVars +ExportCertData
SSLCipherSuite
ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNUL=
L
=20
But, in a freshly installed server, the server doesn't
accept any requests and I get the following errors
repeatedly in the Apache error log
=20
mod_ssl: SSL handshake failed (server
198.149.32.40:443, client 198.149.32.32) (OpenSSL
library error follows)
[Mon May 23 13:37:43 2005] [error] OpenSSL:
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher=20
[Hint: Too restrictive SSLCipherSuite or using DSA
server certificate?]
=20
I browsed the modssl FAQ and got, that sometimes
regenerating certificates helps. I regenerated the
server certificates, but I'm still facing the same
issue.
=20
Has anybody experienced such an error ? Any help is
appreciated.
=20
Thanks in advance,
-Alaka

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around=20
http://mail.yahoo.com=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Getting "no shared ciphers" while connecting to the server

am 31.05.2005 10:26:08 von Daniel Kimblad

Here follows a simple full server SSL setup for reference.
----------------------------------------------------------
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300

SSLMutex default

SSLCertificateFile conf/ssl/www.yourdomain.com.crt
SSLCertificateKeyFile conf/ssl/www.yourdomain.com.key

SSLCACertificatePath conf/ssl
SSLCACertificateFile conf/ssl/YourCA.crt

SSLCARevocationFile conf/ssl/YourCA.crl

SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLEngine on

SSLVerifyClient require
SSLVerifyDepth 1

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

----------------------------------------------------------
This will allow connections with SSLv3 and TLSv1 from clients
with proper certificates.
To skip client auth just remove these two lines:
----------------------------------------------------------

SSLVerifyClient require
SSLVerifyDepth 1

----------------------------------------------------------
Hope that was helpful.

/Daniel, Gizmondo Studios


----- Original Message -----
From: "Alaka Pathy"
To:
Sent: Tuesday, May 31, 2005 9:44 AM
Subject: Getting 'no shared ciphers' while connecting to the server


> Hi All,
>
> I'm using Apache 1.3.31 with mod_ssl 2.8.17 and
> OpenSSL 0.9.7d binaries. I use RSA based self signed
> certificates for SSL communication.
> My httpd.conf has the following SSLCipherSuite
> configured
>
> SSLSessionCacheTimeout 600
> SSLOptions +StdEnvVars +ExportCertData
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL
>
> But, in a freshly installed server, the server doesn't
> accept any requests and I get the following errors
> repeatedly in the Apache error log
>
> mod_ssl: SSL handshake failed (server
> 198.149.32.40:443, client 198.149.32.32) (OpenSSL
> library error follows)
> [Mon May 23 13:37:43 2005] [error] OpenSSL:
> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
> shared cipher
> [Hint: Too restrictive SSLCipherSuite or using DSA
> server certificate?]
>
> I browsed the modssl FAQ and got, that sometimes
> regenerating certificates helps. I regenerated the
> server certificates, but I'm still facing the same
> issue.
>
> Has anybody experienced such an error ? Any help is
> appreciated.
>
> Thanks in advance,
> -Alaka
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Getting "no shared ciphers" while connecting to the server

am 31.05.2005 11:00:44 von Alaka Pathy

Hi Daniel,

I have the SSL setup already as you have mentioned
except these two lines.

SSLVerifyClient require
SSLVerifyDepth 1

And moreover this erros I'm seeing in only one server.
In all other servers, this works perfectly fine.

Do I need to look for any machine specific things,
that could be causing the problem.

As of now, the problem has been seen only in this
configuration:

Windows 2000 Professional with Service Pack 3.

Any ideas ?

Thanks,
-Alaka

--- Daniel Kimblad
wrote:

> Here follows a simple full server SSL setup for
> reference.
>
----------------------------------------------------------
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
>=20
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
>=20
> SSLPassPhraseDialog builtin
> SSLSessionCache dbm:logs/ssl_scache
> SSLSessionCacheTimeout 300
>=20
> SSLMutex default
>=20
> SSLCertificateFile conf/ssl/www.yourdomain.com.crt
> SSLCertificateKeyFile
> conf/ssl/www.yourdomain.com.key
>=20
> SSLCACertificatePath conf/ssl
> SSLCACertificateFile conf/ssl/YourCA.crt
>=20
> SSLCARevocationFile conf/ssl/YourCA.crl
>=20
> SSLCipherSuite HIGH:MEDIUM
> SSLProtocol all -SSLv2
> SSLEngine on
>=20
> SSLVerifyClient require
> SSLVerifyDepth 1
>=20
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>=20
>
----------------------------------------------------------
> This will allow connections with SSLv3 and TLSv1
> from clients
> with proper certificates.
> To skip client auth just remove these two lines:
>
----------------------------------------------------------
>=20
> SSLVerifyClient require
> SSLVerifyDepth 1
>=20
>
----------------------------------------------------------
> Hope that was helpful.
>=20
> /Daniel, Gizmondo Studios
>=20
>=20
> ----- Original Message -----=20
> From: "Alaka Pathy"
> To:
> Sent: Tuesday, May 31, 2005 9:44 AM
> Subject: Getting 'no shared ciphers' while
> connecting to the server
>=20
>=20
> > Hi All,
> >
> > I'm using Apache 1.3.31 with mod_ssl 2.8.17 and
> > OpenSSL 0.9.7d binaries. I use RSA based self
> signed
> > certificates for SSL communication.
> > My httpd.conf has the following SSLCipherSuite
> > configured
> >
> > SSLSessionCacheTimeout 600
> > SSLOptions +StdEnvVars +ExportCertData
> > SSLCipherSuite
> >
>
ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNUL=
L
> >
> > But, in a freshly installed server, the server
> doesn't
> > accept any requests and I get the following errors
> > repeatedly in the Apache error log
> >
> > mod_ssl: SSL handshake failed (server
> > 198.149.32.40:443, client 198.149.32.32) (OpenSSL
> > library error follows)
> > [Mon May 23 13:37:43 2005] [error] OpenSSL:
> > error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no
> > shared cipher
> > [Hint: Too restrictive SSLCipherSuite or using DSA
> > server certificate?]
> >
> > I browsed the modssl FAQ and got, that sometimes
> > regenerating certificates helps. I regenerated the
> > server certificates, but I'm still facing the same
> > issue.
> >
> > Has anybody experienced such an error ? Any help
> is
> > appreciated.
> >
> > Thanks in advance,
> > -Alaka
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
>
____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) =20
> www.modssl.org
> > User Support Mailing List =20
> modssl-users@modssl.org
> > Automated List Manager =20
> majordomo@modssl.org
> >
>=20
>=20
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) =20
> www.modssl.org
> User Support Mailing List =20
> modssl-users@modssl.org
> Automated List Manager =20
> majordomo@modssl.org
>=20



=09
__________________________________=20
Do you Yahoo!?=20
Yahoo! Small Business - Try our new Resources site
http://smallbusiness.yahoo.com/resources/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org