[FIX] Apache/OpenSSL won't talk to some browsers, with SSL3_GET_CLIENT_HELLO:no shared cipher

If you are finding that some browsers are talking to your new Apache/OpenSSL install,
while some are pulling a total blank (looks like a connection refused
or server not found), and you are getting this error:

OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrictive SSLCipherSuite or using DSA server certificate?]


then heed the warning.  You are likely using the DSA server
certificate that comes with some fresh installs.  Check your cert
directories:

ls -l /etc/httpd/conf/ssl.crt
ls -l /etc/httpd/conf/ssl.key

Do you see that your server.crt (or whatever your httpd.conf defines as
your cert) and your server.key (or whatever is your key) are symbolic
links to the default “snakeoil” certs?

server.crt -> snakeoil-dsa.crt
server.key -> snakeoil-dsa.key



Ok, then you might have better luck in using the RSA versions, which play nice with more browsers:

mv server.crt server.crt.orig
ln -s snakeoil-rsa.crt server.crt

mv server.key server.key.orig

ln -s snakeoil-rsa.key server.key

apachectl stop && apachectl start



(Remembering that with Apache, when playing with SSL stuff, do a full stop and start upon making changes — a HUP won't cut it)



As per all recommendations, do away with the snakeoil stuff ASAP and certainly before putting anything up on a public network.



CAVEAT: Do not use this advice for production.  This advice should
only be used for your own dev or testing, in order to get a fresh
install at least nominally working.  If you want real SSL and
can't figure it out, pay someone, because your security is worth it.

This entry was posted on Wednesday, December 31st, 1969 at 5:00 pm and is filed under ancient. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply