1956
C
104: SSL C
HAPTER
Troubleshooting SSL
SSL Handshake Failure
ONFIGURATION
Symptom
As the SSL server, the device fails to handshake with the SSL client.
Analysis
SSL handshake failure may result from the following causes:
No SSL server certificate exists, or the certificate is not trusted.
■
The server is expected to authenticate the client, but the SSL client has no
■
certificate or the certificate is not trusted.
The cipher suites used by the server and the client do not match.
■
Solution
1 You can issue the debugging ssl command and view the debugging information
to locate the problem:
If the SSL server has no certificate, request one for it.
■
If the server certificate cannot be trusted, install on the SSL client the root
■
certificate of the CA that issues the local certificate to the SSL server, or let the
server requests a certificate from the CA that the SSL client trusts.
If the SSL server is configured to authenticate the client, but the certificate of
■
the SSL client does not exist or cannot be trusted, request and install a
certificate for the client.
2 You can use the display ssl server-policy command to view the cipher suite used
by the SSL server policy. If the cipher suite used by the SSL server does not match
that used by the client, use the ciphersuite command to modify the cipher suite
of the SSL server.