https server not responding

[Bryn Lewis]

You will get handshake failures if the server certificate PFX hasn't been properly loaded server side. For instance, if it contains a 1024 bit RSA key and the LeastKeyBitSize property is set to 2048, it won't load properly.

What would cause it to be improperly loaded server side? (it seems to be ok for d7). How would I check if it contains a 1024 bit RSA ket and the LeastKeyBitSize property was set to 2048? iow - how do I investigate the certificate or load process further?

The pfx was created using openssl - I was just following instructions found.

thanks, Bryn

[Henrick (StreamSec)]

You will get handshake failures if the server certificate PFX hasn't been properly loaded server side. For instance, if it contains a 1024 bit RSA key and the LeastKeyBitSize property is set to 2048, it won't load properly.

What would cause it to be improperly loaded server side? (it seems to be ok for d7). How would I check if it contains a 1024 bit RSA ket and the LeastKeyBitSize property was set to 2048? iow - how do I investigate the certificate or load process further?

The pfx was created using openssl - I was just following instructions found.

You could use the "Demo for generating certificates for SSL/TLS" that is a registered user download for ST 2.3.

The problem with some versions of the OpenSSL utilities, is that they deliberately generate self-signed certificates that break the PKIX chaining standards, so that the certificates won't be mistakenly used as root CA certificates. ST 4.0 is a lot more picky with those details and will spit them out.

If you want to check what certificate is inside a PFX file, simply open it in Windows Explorer, follow the instructions to import it into Windows, and then use the Internet Options utility to bring up the Windows certificate manager. It will show up as one of your personal certificates.

[Bryn Lewis]

@Henrick - thanks but I am still trying to get the configuration right -

I used openssl to create the pfx, not to create the certificate.

1. use openSSL to create a csr and key
2. obtained crt from rapidSSL (with csr from 1)
3. used openssl to create the pfx.

Code:

    if pkaRSA in smSimpleTLSInternalServer1.PublicKeyAlgorithms then
    begin
      smSimpleTLSInternalServer1.Options.SignatureRSA := prPrefer;
      smSimpleTLSInternalServer1.Options.KeyAgreementRSA := prAllowed;
      smSimpleTLSInternalServer1.Options.KeyAgreementDHE := prPrefer;
      smSimpleTLSInternalServer1.TLSSetupServer;
    end;

The above works when I use the sample pfx supplied with the streamsec code, using streamsec 2.3 and 4.

When I use the pfx created via steps 1-3 it works in streamsec 2.3, but not streamsec 4. I get the following error:
'handshake_failure: Reception of a handshake_failure alert message indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available. This is a fatal error.
Extended information: Unable to find a server certificate appropriate for the selected cipher suite.'

Any guidance on where to look for further configuration options to adjust?

When I compare the sample pfx and my pfx, I don't see any significant differences (not that I would necessarily know what ws significant).

thanks, Bryn

[Henrick (StreamSec)]

@Henrick - thanks but I am still trying to get the configuration right -

I used openssl to create the pfx, not to create the certificate.

1. use openSSL to create a csr and key
2. obtained crt from rapidSSL (with csr from 1)
3. used openssl to create the pfx.

Code:

    if pkaRSA in smSimpleTLSInternalServer1.PublicKeyAlgorithms then
    begin
      smSimpleTLSInternalServer1.Options.SignatureRSA := prPrefer;
      smSimpleTLSInternalServer1.Options.KeyAgreementRSA := prAllowed;
      smSimpleTLSInternalServer1.Options.KeyAgreementDHE := prPrefer;
      smSimpleTLSInternalServer1.TLSSetupServer;
    end;

The above works when I use the sample pfx supplied with the streamsec code, using streamsec 2.3 and 4.

When I use the pfx created via steps 1-3 it works in streamsec 2.3, but not streamsec 4. I get the following error:
'handshake_failure: Reception of a handshake_failure alert message indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available. This is a fatal error.
Extended information: Unable to find a server certificate appropriate for the selected cipher suite.'

Any guidance on where to look for further configuration options to adjust?

When I compare the sample pfx and my pfx, I don't see any significant differences (not that I would necessarily know what ws significant).

This sounds similar to an issue that was fixed in a recent version of ST 4.0. If you get it with the latest release, are creating a 2048 bit RSA key (or greater), I don't know what is causing it and would need a reproducible case.