H3C S3610-28P Operation Manual page 1512

Operation Manual – SSL-HTTPS
H3C S3610&S5510 Series Ethernet Switches
II. Analysis
SSL handshake failure may result from the following causes:
No SSL server certificate exists, or the certificate is not trusted.
The server is expected to authenticate the client, but the SSL client has no
certificate or the certificate is not trusted.
The cipher suites used by the server and the client do not match.
III. Solution
1) You can issue the debugging ssl command and view the debugging information
to locate the problem:
If the SSL server has no certificate, request one for it.
If the server certificate cannot be trusted, install on the SSL client the root
certificate of the CA that issues the local certificate to the SSL server, or let the
server requests a certificate from the CA that the SSL client trusts.
If the SSL server is configured to authenticate the client, but the certificate of the
SSL client does not exist or cannot be trusted, request and install a certificate for
the client.
2) You can use the display ssl server-policy command to view the cipher suite
used by the SSL server policy. If the cipher suite used by the SSL server does not
match that used by the client, use the ciphersuite command to modify the cipher
suite of the SSL server.
1-7
Chapter 1 SSL Configuration