0

i am trying to establish a connection to the server using server signed certificate but i keep getting this error whereas both the CA and certificate are ok. Any help is highly appreciated. thanks

  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • skipping SSL peer certificate verification
  • NSS: client certificate not found (nickname not specified)
  • NSS error -12227 (SSL_ERROR_HANDSHAKE_FAILURE_ALERT)
  • SSL peer was unable to negotiate an acceptable set of security parameters.
  • Closing connection 0 curl: (35) NSS: client certificate not found (nickname not specified)
jww
  • 97,681
  • 90
  • 411
  • 885
Baguma
  • 173
  • 1
  • 2
  • 15
  • 1
    NSS is "Network Security Service" library. Mozilla uses it in lieu of OpenSSL. – jww Sep 09 '17 at 15:56
  • Please post the URL you are using to connect to the server, and post the output of `openssl s_client -connect : -tls1 -servername | openssl x509 -text -noout`. Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Sep 09 '17 at 15:57
  • Hi, thanks for your response, will run that command and give you feedback as soon as i get to office but on the other hand i verified the _signed certificate and the CA_ with openssl, all are ok. But the signed certificate is placed in the right store because when i curl the machine i use it gives me the certificate details problem is connecting to the server of the service provider and the other hand the the **URL** is accessed via a private network its not public otherwise i would share it. – Baguma Sep 09 '17 at 22:08
  • *"... on the other hand i verified the signed certificate and the CA with openssl..."* - OpenSSL 1.0.2 and lower do ***not*** perform hostname verification. *"... on the other hand the the URL is accessed via a private network its not public otherwise i would share it..."* - In that case Stack Overflow probably cannot help you. Perhaps you should talk to your network administrator. – jww Sep 09 '17 at 22:10
  • 1
    ''_ openssl s_client -connect 192.168.0.10:443 -tls1 -servername 10.10.0.18:8070 | openssl x509 -text -noout_" After running that command, this is the output i got **140376943970208:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598: unable to load certificate 140445733816224:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE** However when i send curl to same IP is see certificate details – Baguma Sep 11 '17 at 07:06

1 Answers1

0

You have SSLVerifyClient="require" on your server. Maybe that helps someone.

clao
  • 9
  • 2