SSL listeners cannot initiate handshake?

Discussion in 'Install/Configuration' started by dreamscape, Oct 19, 2006.

  1. dreamscape

    dreamscape Active Member


    I have installed the latest version of LiteSpeed on my Mac PowerBook (PPC) running OS X 10.4.8. I'm a PHP developer and using it for local development sites. I've migrated from Apache with no big problems other than it did not properly setup the SSL hosts. No big deal though as there are only a few at the moment.

    I have several virtual hosts setup and have also setup OS X with 24 local IP addresses ( - because I often need to be able to test SSL locally. The certificates are self signed and the keys are unencrypted.

    However, when I setup an SSL listener and restart the server, it does not accept any connections. There is nothing in the log files either about it; no errors, no access. The Status page in the server admin shows the SSL listeners are up and running, but none of them are working on either the IP or the domain assigned to the listener.

    I know the cert & keys are fine because they ran fine in Apache. I generated them based on this guide from Apple:

    All that Safari tells me is that it could not establish a secure connection to the server.

    If I try to connect to the SSL host from curl it gives me a more informative error about a handshake failure:
    PowerBook-G4:~ dreamscape$ curl
    curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
    So far I am very impressed with both the speed and lightweight-ness of LiteSpeed, and this is the only stumbling block I've hit. Does anyone know what might be wrong?
  2. dreamscape

    dreamscape Active Member

    hmm, I thought I tried these settings before and they did not work, but I guess it must have been a dream.

    For anyone else who may be using Apple's guide to generate test certs, the only way I could get them to work is with these settings:

    SSL Protocol, SSL Version: SSL v3.0 + TLS v1.0
    SSL Protocol, Encryption Level: HIGH + MEDIUM + LOW

    You can also throw in SSL v2.0 and eNULL if you want to but the critical thing is that both SSL v3.0 *and* TLS v1.0 are enabled. Otherwise it will not work. Which seems a bit odd because in Apple's guide, the code they give you for Apache's httpd.conf excludes SSLv3 (the "SSLProtocol all -SSLv3" part) and there are no problems. So I'm not sure what the deal is here, but oh well at least I figured out some settings that will work. :)
  3. mistwang

    mistwang LiteSpeed Staff

    Yeah, SSL v3.0 has to be checked. :)

Share This Page