HP VPN Firewall Appliances Network Management Configuration Guide
949
Troubleshooting SSL
SSL handshake failure
Symptom
As the SSL server, the device fails to handshake with the SSL client.
Analysis
SSL handshake failure may result from the following causes:
• The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the
certificate is not trusted.
• The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the
certificate is not trusted.
• The server and the client have no matching cipher suite.
Solution
1. Issue the debugging ssl command and view the debugging information to locate the problem:
{ If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate,
request one for it.
{ If the server’s certificate cannot be trusted, install the root certificate of the CA that issued the
local certificate to the SSL server on the SSL client, or let the server request a certificate from the
CA that the SSL client trusts.
{ If the SSL server is configured to authenticate the client, but the SSL client has no certificate or the
certificate cannot be trusted, request and install a certificate for the client.
2. Use the display ssl server-policy command to view the cipher suites that the SSL server policy
supports. If the server and the client have no matching cipher suite, use the ciphersuite command
to modify the cipher suite configuration of the SSL server.