Displaying and maintaining ssl, Troubleshooting ssl, Ssl handshake failure – H3C Technologies H3C SecPath F1000-E User Manual
Page 97: Symptom, Analysis, Solution
7
To do…
Use the command…
Remarks
Enable certificate-based SSL server
authentication
server-verify enable
Optional
Enabled by default
NOTE:
If you enable client authentication on the server, you must request a local certificate for the client.
Displaying and Maintaining SSL
To do…
Use the command…
Remarks
Display SSL server policy
information
display ssl server-policy
{ policy-name | all }
Display SSL client policy
information
display ssl client-policy
{ policy-name | all }
Available in any view
Troubleshooting SSL
SSL Handshake Failure
Symptom
As the SSL server, the device fails to handshake with the SSL client.
Analysis
SSL handshake failure may result from the following causes:
•
The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the
certificate is not trusted.
•
The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the
certificate is not trusted.
•
The server and the client have no matching cipher suite.
Solution
Step1
You can issue the debugging ssl command and view the debugging information to locate the
problem:
•
If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate,
request one for it.
•
If the server’s certificate cannot be trusted, install on the SSL client the root certificate of the CA that
issues the local certificate to the SSL server, or let the server requests a certificate from the CA that
the SSL client trusts.
•
If the SSL server is configured to authenticate the client, but the SSL client has no certificate or the
certificate cannot be trusted, request and install a certificate for the client.