I'm getting the error mentioned in the title in Firefox when i try to access my website on my machine.
This is the error i get :
An error occurred during a connection to www.st.um.
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)
This is my virtual host configuration :
<VirtualHost *:443>
ServerAdmin user1@st.um
ServerName www.st.um
DocumentRoot /var/www/web
<Directory /var/www/web>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
SSLEngine on
SSLCertificateFile /usr/lib/ssl/demoCA/servercert.pem
SSLCertificateKeyFile /usr/lib/ssl/demoCA/serverkey.pem
SSLCACertificateFile /usr/lib/ssl/demoCA/stcert.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
SSLVerifyClient require
SSLVerifyDepth 10
</VirtualHost>
The certificate "servercert.pem" is certificated using my CA : "stcert.pem" and i can use the certificate "servercert.pem" with the key "serverkey.pem" perfectly to gain access to the s_server as a server and having my CA imported and trusted in the list of authorities of the web browser :
openssl s_server -cert servercert.pem -key serverkey.pem -www
I also can gain access to my website as a client using a PKCS#12 file generated from a certificate "clientcert.pem" with its key "clientkey.pem".
The only thing that i have in /etc/log/apache2/error.log is :
[Sat May 25 02:44:11 2013] [notice] Apache/2.2.22 (Ubuntu)
PHP/5.3.10-1ubuntu3.6 with Suhosin-Patch mod_ssl/2.2.22
OpenSSL/1.0.1 configured -- resuming normal operations
Best Answer
I edited my virtualhost configuration and deleted :
And now it is working for server-side authentication. The "SSLVerifyClient require" directive override the lines :
And that was the problem. The "SSLVerifyClient require" directive is for client-Side authentication and it makes openSSL to always require a certificate from the client.