H3C S5120-SI Series Configuration Manual page 477

Solution
1) You can issue the debugging ssl command and view the debugging information to locate the
problem:
If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate,
request one for it.
If the server's certificate cannot be trusted, install on the SSL client the root certificate of the CA
that issues the local certificate to the SSL server, or let the server requests a certificate from the CA
that the SSL client trusts.
If the SSL server is configured to authenticate the client, but the SSL client has no certificate or the
certificate cannot be trusted, request and install a certificate for the client.
2) You can use the display ssl server-policy command to view the cipher suites that the SSL server
policy supports. If the server and the client have no matching cipher suite, use the ciphersuite
command to modify the cipher suite configuration of the SSL server.
1-8