X
點擊此處開啟此網站的行動版。

技術支援討論區

SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert) How can this be fixed?

已張貼

I received this error message when trying to access a site with whom I have a contract: Secure Connection Failed

An error occurred during a connection to eoffer.gsa.gov.

SSL peer was unable to negotiate an acceptable set of security parameters.

(Error code: ssl_error_handshake_failure_alert)


   *   The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
   *   Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
I received this error message when trying to access a site with whom I have a contract: Secure Connection Failed An error occurred during a connection to eoffer.gsa.gov. SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert) * The page you are trying to view can not be shown because the authenticity of the received data could not be verified. * Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

被選擇的解決方法

This can only truly be fixed by the people running the site. They have badly configured web servers. Ask them to test in all modern browsers before deploying in future.

從原來的回覆中察看解決方案 1

額外的系統細節

已安裝的外掛程式

  • -Default Plug-in
  • GEPlugin
  • Windows Presentation Foundation (WPF) plug-in for Mozilla browsers
  • Google Updater pluginhttp://pack.google.com/
  • Next Generation Java Plug-in 1.6.0_20 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy

應用程式

  • User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.4) Gecko/20100611 Firefox/3.6.4 (.NET CLR 3.5.30729)

更多資訊

Norton 3.7.2

選擇的解決方法

This can only truly be fixed by the people running the site. They have badly configured web servers. Ask them to test in all modern browsers before deploying in future.

This can only truly be fixed by the people running the site. They have badly configured web servers. Ask them to test in all modern browsers before deploying in future.
djkirsun 0 個解決方法 1 個答案

You need PKCS #12 Pvt Key to access this site. Check below......

Generating a PKCS#12 Private Key and Public Certificate

This article discusses how to generate a PKCS#12 private key and public certificate file that is suitable for use with HTTPS, FTPS, and the administrative port for Secure FTP Server-FIPS. (To convert an incompatible PKCS#12 format file, refer to Converting an Incompatible PKCS#12 Format File to a Compatible PKCS#12.)

General Information

   *
     When operating in a FIPS-approved mode, PKI key/certificates must be between 1024- bits and 4096-bits, inclusive.
   *
     The supported cipher combinations allowed for SSL negotiation are limited to:
         o
           SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 256 bit AES encryption, and SHA1 HMAC
         o
           SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 168 bit 3DES encryption, and SHA1 HMAC
         o
           SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 128 bit AES encryption, and SHA1 HMAC

Each of the above combinations uses RSA key exchange; therefore, RSA based key/certificates must be used.

   *
     In FIPS Mode, the PKCS#12 format must use compatible encryption and hashing algorithms when encrypting the file. The necessary strong encryption will use 3DES and SHA1 encryption.

Procedure

These instructions assume you have downloaded and installed the Windows binary distribution of OpenSSL. Refer to Using OpenSSL for the general instructions

  1.
     Generate an RSA private key:
     >C:\Openssl\bin\openssl.exe genrsa -out <Key Filename> <Key Size>
     Where:
         *
           <Key Filename> is the desired filename for the private key file
         *
           <Key Size> is the desired key length of either 1024, 2048, or 4096
     For example, type:
     >C:\Openssl\bin\openssl.exe genrsa -out my_key.key 2048
  2.
     Generate a Certificate Signing Request:
     In version 0.9.8g:
     >C:\Openssl\bin\openssl.exe req -new -key <Key Filename> -out <Request Filename> -config C:\Openssl\bin\openssl.cnf
     -OR-
     In version 0.9.8h and later:
     >C:\Openssl\bin\openssl.exe req -new -key <Key Filename> -out <Request Filename> -config C:\Openssl\bin\openssl.cfg
     Where:
         *
           <Key Filename> is the input filename of the previously generated private key
         *
           <Request Filename> is the output filename of the certificate signing request
     For example, type:
     >C:\Openssl\bin\openssl.exe req -new -key my_key.key -out my_request.csr -config C:\Openssl\bin\openssl.cnf
  3.
     Follow the on-screen prompts for the required certificate request information.
  4.
     Generate a self-signed public certificate based on the request
     >C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in <Request Filename> -signkey <Key Filename> -out <Certificate Filename>
     Where:
         *
           <Request Filename> is the input filename of the certificate signing request
         *
           <Key Filename> is the input filename of the previously generated private key
         *
           <Certificate Filename> is the output filename of the public certificate
     For example, type:
     >C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in my_request.csr -signkey my_key.key -out my_cert.crt
  5.
     Generate a PKCS#12 file:
     >C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in <Public Certificate Filename> -inkey <Private Key Filename> -out <PKCS#12 Filename> -name "<Display Name>"
     Where:
         *
           <Public Certificate Filename> is the input filename of the public certificate, in PEM format
         *
           <Private Key Filename> is the input filename of the private key
         *
           <PKCS#12 Filename> is the output filename of the pkcs#12 format file
         *
           <Display Name> is the desired name that will sometimes be displayed in user interfaces.
     For example, type:
     >C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in my_cert.crt -inkey my_key.key -out my_pkcs12.pfx -name "my-name"
  6.
     (Optional) Delete unneeded files. At this point, you only need the PKCS#12 format file, so you can delete the certificate signing request (.csr) file, the private key (.key) file, and the public certificate (.crt) file.

The resulting PKCS#12 format file may now be used within Secure FTP Server - FIPS.

You need PKCS #12 Pvt Key to access this site. Check below...... '''Generating a PKCS#12 Private Key and Public Certificate''' This article discusses how to generate a PKCS#12 private key and public certificate file that is suitable for use with HTTPS, FTPS, and the administrative port for Secure FTP Server-FIPS. (To convert an incompatible PKCS#12 format file, refer to Converting an Incompatible PKCS#12 Format File to a Compatible PKCS#12.) General Information * When operating in a FIPS-approved mode, PKI key/certificates must be between 1024- bits and 4096-bits, inclusive. * The supported cipher combinations allowed for SSL negotiation are limited to: o SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 256 bit AES encryption, and SHA1 HMAC o SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 168 bit 3DES encryption, and SHA1 HMAC o SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 128 bit AES encryption, and SHA1 HMAC Each of the above combinations uses RSA key exchange; therefore, RSA based key/certificates must be used. * In FIPS Mode, the PKCS#12 format must use compatible encryption and hashing algorithms when encrypting the file. The necessary strong encryption will use 3DES and SHA1 encryption. Procedure These instructions assume you have downloaded and installed the Windows binary distribution of OpenSSL. Refer to Using OpenSSL for the general instructions 1. Generate an RSA private key: >C:\Openssl\bin\openssl.exe genrsa -out <Key Filename> <Key Size> Where: * <Key Filename> is the desired filename for the private key file * <Key Size> is the desired key length of either 1024, 2048, or 4096 For example, type: >C:\Openssl\bin\openssl.exe genrsa -out my_key.key 2048 2. Generate a Certificate Signing Request: In version 0.9.8g: >C:\Openssl\bin\openssl.exe req -new -key <Key Filename> -out <Request Filename> -config C:\Openssl\bin\openssl.cnf -OR- In version 0.9.8h and later: >C:\Openssl\bin\openssl.exe req -new -key <Key Filename> -out <Request Filename> -config C:\Openssl\bin\openssl.cfg Where: * <Key Filename> is the input filename of the previously generated private key * <Request Filename> is the output filename of the certificate signing request For example, type: >C:\Openssl\bin\openssl.exe req -new -key my_key.key -out my_request.csr -config C:\Openssl\bin\openssl.cnf 3. Follow the on-screen prompts for the required certificate request information. 4. Generate a self-signed public certificate based on the request >C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in <Request Filename> -signkey <Key Filename> -out <Certificate Filename> Where: * <Request Filename> is the input filename of the certificate signing request * <Key Filename> is the input filename of the previously generated private key * <Certificate Filename> is the output filename of the public certificate For example, type: >C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in my_request.csr -signkey my_key.key -out my_cert.crt 5. Generate a PKCS#12 file: >C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in <Public Certificate Filename> -inkey <Private Key Filename> -out <PKCS#12 Filename> -name "<Display Name>" Where: * <Public Certificate Filename> is the input filename of the public certificate, in PEM format * <Private Key Filename> is the input filename of the private key * <PKCS#12 Filename> is the output filename of the pkcs#12 format file * <Display Name> is the desired name that will sometimes be displayed in user interfaces. For example, type: >C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in my_cert.crt -inkey my_key.key -out my_pkcs12.pfx -name "my-name" 6. (Optional) Delete unneeded files. At this point, you only need the PKCS#12 format file, so you can delete the certificate signing request (.csr) file, the private key (.key) file, and the public certificate (.crt) file. The resulting PKCS#12 format file may now be used within Secure FTP Server - FIPS.
HMIStrainer 0 個解決方法 1 個答案

Firefox needs PKI Certificates to be imported via Firefox. If you have a copy of your .p12 certificate file here's how you get Firefox (ver 3.6.12) on board. Tools>Options>Advanced>Encryption and click the View Certificates button. On the Your Certificates Tab, click Import... which then asks for the location of your certificate. Once you have located the file, Open it and provide the password when prompted. Other browsers will accept a certificate that has been installed via Windows, but that doesn't seem to be the case with Firefox. Firefox doesn't recognize such a certificate until you go through its import process.

Firefox needs PKI Certificates to be imported via Firefox. If you have a copy of your .p12 certificate file here's how you get Firefox (ver 3.6.12) on board. Tools>Options>Advanced>Encryption and click the View Certificates button. On the Your Certificates Tab, click Import... which then asks for the location of your certificate. Once you have located the file, Open it and provide the password when prompted. Other browsers will accept a certificate that has been installed via Windows, but that doesn't seem to be the case with Firefox. Firefox doesn't recognize such a certificate until you go through its import process.
Geomowat 0 個解決方法 1 個答案

有幫助的回覆

Never encountered this problem until today when I up-dated Firefox from 3.5 to v. 4 and none of these higher security sites will work any longer.

As far as considering this to be a problem of the owner of the site, the main one I use suggests Firefox as the preferred browser for activating the certificates and surely all of these higher security sites cannot all have the same problem at the same time after I updated Firefox (Mac OSX, by the way).

Never encountered this problem until today when I up-dated Firefox from 3.5 to v. 4 and none of these higher security sites will work any longer. As far as considering this to be a problem of the owner of the site, the main one I use suggests Firefox as the preferred browser for activating the certificates and surely all of these higher security sites cannot all have the same problem at the same time after I updated Firefox (Mac OSX, by the way).