SSL error no cypher overlap

Ken g6

Programming Moderator, Elite Member
Moderator
Dec 11, 1999
16,610
4,530
75
I keep getting this error in Firefox. On every forum page. :( Then it goes away for awhile.
 

Titillating

Assistant Community Manager
Sep 9, 2014
423
70
66
Get me a screenshot of this please? And as many details as you can provide. I haven't run into this on Chrome, but I'll alert the tech teams to it.
 

Ken g6

Programming Moderator, Elite Member
Moderator
Dec 11, 1999
16,610
4,530
75
Get me a screenshot of this please? And as many details as you can provide. I haven't run into this on Chrome, but I'll alert the tech teams to it.
ssl_no_cypher_overlap.png
 

TheRyuu

Diamond Member
Dec 3, 2005
5,479
14
81
qualys-ssl-labs-projects-ssl-client-test-png.132


The same thing happens on wget, and Firefox and Chrome on Android. The common denominator seems to be my Internet connection. It doesn't happen often, either - today, for instance, there's no problem. :confused:

I can't seem to see that image, are forum permissions not set up to allow me to? Are your connections getting MITM'ed or something? That's the only thing I can think of that would correlate with it always happening on the same connection.
 

Ken g6

Programming Moderator, Elite Member
Moderator
Dec 11, 1999
16,610
4,530
75
Are your connections getting MITM'ed or something? That's the only thing I can think of that would correlate with it always happening on the same connection.
I don't know. How could I?

The only error I can consistently get is with:

Code:
$ openssl s_client -showcerts -connect forums.anandtech.com:443
CONNECTED(00000003)
140106797090456:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
  Protocol  : TLSv1.2
  Cipher  : 0000
  Session-ID:
  Session-ID-ctx:
  Master-Key:
  Key-Arg  : None
  PSK identity: None
  PSK identity hint: None
  SRP username: None
  Start Time: 1471530003
  Timeout  : 300 (sec)
  Verify return code: 0 (ok)
---

If I try www.google.com:443 I get much better results.
 

Ken g6

Programming Moderator, Elite Member
Moderator
Dec 11, 1999
16,610
4,530
75
Check the certificate fingerprints and see if they match to detect MITM attack. Some well known ones are at grc. Some banks publish theirs.
https://www.grc.com/fingerprints.htm
Hm, good to know. Thanks!

It turns out Firefox shows a green lock on many pages, indicating a secure and verified connection. Not on this page, since there's an HTTP image on it. But I see it on other forum pages.
 

Ken g6

Programming Moderator, Elite Member
Moderator
Dec 11, 1999
16,610
4,530
75
Taking a shot in the dark here, what happens if you disable the chacha20 ciphers (you can do it in about:config by searching for ssl and finding the chacha20 ciphers)?
Tried it. Didn't help. And, yes, I reset my TLS settings.
 

Ken g6

Programming Moderator, Elite Member
Moderator
Dec 11, 1999
16,610
4,530
75
Interesting. I get the cypher error when I try to go directly to the site by IP: https://68.177.32.96/

Edit: And when I go to http://68.177.32.96, I get a different error.

So now I'm guessing the cypher error might be masking some other error.
 
Last edited:

Titillating

Assistant Community Manager
Sep 9, 2014
423
70
66
FWIW, that's not the site IP, and you would not be able to hit the site by IP anyway.

Still investigating the matter.
 

Ken g6

Programming Moderator, Elite Member
Moderator
Dec 11, 1999
16,610
4,530
75
Well I tried something else today. I turned off all the SSL minimums, and restarted the browser. And I got a different error code: SSL error inappropriate fallback alert. But I still get the old error sometimes too.
 

John Connor

Lifer
Nov 30, 2012
22,757
618
121
Well I tried something else today. I turned off all the SSL minimums, and restarted the browser. And I got a different error code: SSL error inappropriate fallback alert. But I still get the old error sometimes too.


What browser are you using? I don't see you list that.
 

Ken g6

Programming Moderator, Elite Member
Moderator
Dec 11, 1999
16,610
4,530
75
What browser are you using? I don't see you list that.
Firefox. And Chrome. And wget and curl and openssl. The latest thing I found is that forcing TLS on openssl returns an error code 40.
 

John Connor

Lifer
Nov 30, 2012
22,757
618
121
Just tried Chrome. No SSL error. Are you using Linux? Maybe there's something in the OS that's doing it.
 

Ken g6

Programming Moderator, Elite Member
Moderator
Dec 11, 1999
16,610
4,530
75
Yes, I am using Linux. So are lots of other people on Android. (My Android phone has the problem too, on Firefox and Chrome.)

Well, I installed FoxyProxy and Tor on my desktop, and it's working for now. But sometimes I get a 403 Forbidden error. The risks of using a proxy. :rolleyes:
 

nakedfrog

No Lifer
Apr 3, 2001
61,697
17,370
136
Yes, I am using Linux. So are lots of other people on Android. (My Android phone has the problem too, on Firefox and Chrome.)

Well, I installed FoxyProxy and Tor on my desktop, and it's working for now. But sometimes I get a 403 Forbidden error. The risks of using a proxy. :rolleyes:
I've been getting intermittent SSL issues as well, on Win7/Firefox. A few refreshes, and then it loads. I can try to get a better look at what the specific problem is next time it happens.
 
  • Like
Reactions: Ken g6

Pantoot

Golden Member
Jun 6, 2002
1,764
30
91
With chrome on win10, I am intermittently getting:

This site can’t provide a secure connection

forums.anandtech.com uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol

The client and server don't support a common SSL protocol version or cipher suite.

----

Happy to troubleshoot if there is anything I can provide.
 
  • Like
Reactions: Ken g6