SSL error no cypher overlap

[Ken g6]

I keep getting this error in Firefox. On every forum page. Then it goes away for awhile.

 

[Titillating]

Get me a screenshot of this please? And as many details as you can provide. I haven't run into this on Chrome, but I'll alert the tech teams to it.

 

[Ken g6]

Get me a screenshot of this please? And as many details as you can provide. I haven't run into this on Chrome, but I'll alert the tech teams to it.

 

[bononos]

Its the same problem I'm still having from this earlier thread:
https://forums.anandtech.com/threads/getting-ssl-https-error.2482503/
It happens on and off, early in the day or late, and I doubt the problem is on my end.

Ken, try using VPN extension or tor, that works for me.

 

[TheRyuu]

I keep getting this error in Firefox. On every forum page. Then it goes away for awhile.

What does your cipher list look like: https://www.ssllabs.com/ssltest/viewMyClient.html

 

[Ken g6]

What does your cipher list look like: https://www.ssllabs.com/ssltest/viewMyClient.html

The same thing happens on wget, and Firefox and Chrome on Android. The common denominator seems to be my Internet connection. It doesn't happen often, either - today, for instance, there's no problem.

 

[TheRyuu]

The same thing happens on wget, and Firefox and Chrome on Android. The common denominator seems to be my Internet connection. It doesn't happen often, either - today, for instance, there's no problem.

I can't seem to see that image, are forum permissions not set up to allow me to? Are your connections getting MITM'ed or something? That's the only thing I can think of that would correlate with it always happening on the same connection.

 

[Ken g6]

Are your connections getting MITM'ed or something? That's the only thing I can think of that would correlate with it always happening on the same connection.

I don't know. How could I?

The only error I can consistently get is with:

$ openssl s_client -showcerts -connect forums.anandtech.com:443
CONNECTED(00000003)
140106797090456:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
  Protocol  : TLSv1.2
  Cipher  : 0000
  Session-ID:
  Session-ID-ctx:
  Master-Key:
  Key-Arg  : None
  PSK identity: None
  PSK identity hint: None
  SRP username: None
  Start Time: 1471530003
  Timeout  : 300 (sec)
  Verify return code: 0 (ok)
---

If I try www.google.com:443 I get much better results.

 

[bononos]

What does your cipher list look like: https://www.ssllabs.com/ssltest/viewMyClient.html

I doubt the problem is the cipher list. I'm not running browsers from the 90s.

 

[bononos]

I don't know. How could I?
The only error I can consistently get is with:
.......
If I try www.google.com:443 I get much better results.

Check the certificate fingerprints and see if they match to detect MITM attack. Some well known ones are at grc. Some banks publish theirs.
https://www.grc.com/fingerprints.htm

 

[Ken g6]

Check the certificate fingerprints and see if they match to detect MITM attack. Some well known ones are at grc. Some banks publish theirs.
https://www.grc.com/fingerprints.htm

Hm, good to know. Thanks!

It turns out Firefox shows a green lock on many pages, indicating a secure and verified connection. Not on this page, since there's an HTTP image on it. But I see it on other forum pages.

 

[Ken g6]

This has been bad today. Still mystifying. I tried this solution, but it didn't help:

http://www.ryananddebi.com/2014/12/10/bypassing-the-ssl_error_no_cypher_overlap-error-in-firefox-34/

 

[TheRyuu]

This has been bad today. Still mystifying. I tried this solution, but it didn't help:

http://www.ryananddebi.com/2014/12/10/bypassing-the-ssl_error_no_cypher_overlap-error-in-firefox-34/

Make sure you reset that after testing.

Taking a shot in the dark here, what happens if you disable the chacha20 ciphers (you can do it in about:config by searching for ssl and finding the chacha20 ciphers)?

 

[Ken g6]

Taking a shot in the dark here, what happens if you disable the chacha20 ciphers (you can do it in about:config by searching for ssl and finding the chacha20 ciphers)?

Tried it. Didn't help. And, yes, I reset my TLS settings.

 

[Ken g6]

Interesting. I get the cypher error when I try to go directly to the site by IP: https://68.177.32.96/

Edit: And when I go to http://68.177.32.96, I get a different error.

So now I'm guessing the cypher error might be masking some other error.

 

[TheRyuu]

Interesting. I get the cypher error when I try to go directly to the site by IP: https://68.177.32.96/

Edit: And when I go to http://68.177.32.96, I get a different error.

So now I'm guessing the cypher error might be masking some other error.

I too get the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error when navigating directly to the IP.

 

[Titillating]

FWIW, that's not the site IP, and you would not be able to hit the site by IP anyway.

Still investigating the matter.

 

[Ken g6]

Well I tried something else today. I turned off all the SSL minimums, and restarted the browser. And I got a different error code: SSL error inappropriate fallback alert. But I still get the old error sometimes too.

 

[John Connor]

FWIW, that's not the site IP, and you would not be able to hit the site by IP anyway.

Still investigating the matter.

QFT. It goes to CenturyLink. The real IP doesn't resolve the website. I tried. LOL

 

[John Connor]

Well I tried something else today. I turned off all the SSL minimums, and restarted the browser. And I got a different error code: SSL error inappropriate fallback alert. But I still get the old error sometimes too.

What browser are you using? I don't see you list that.

 

[Ken g6]

What browser are you using? I don't see you list that.

Firefox. And Chrome. And wget and curl and openssl. The latest thing I found is that forcing TLS on openssl returns an error code 40.

 

[John Connor]

Just tried Chrome. No SSL error. Are you using Linux? Maybe there's something in the OS that's doing it.

 

[Ken g6]

Yes, I am using Linux. So are lots of other people on Android. (My Android phone has the problem too, on Firefox and Chrome.)

Well, I installed FoxyProxy and Tor on my desktop, and it's working for now. But sometimes I get a 403 Forbidden error. The risks of using a proxy.

 

[nakedfrog]

Yes, I am using Linux. So are lots of other people on Android. (My Android phone has the problem too, on Firefox and Chrome.)

Well, I installed FoxyProxy and Tor on my desktop, and it's working for now. But sometimes I get a 403 Forbidden error. The risks of using a proxy.

I've been getting intermittent SSL issues as well, on Win7/Firefox. A few refreshes, and then it loads. I can try to get a better look at what the specific problem is next time it happens.

 

[Pantoot]

With chrome on win10, I am intermittently getting:

This site can’t provide a secure connection
forums.anandtech.com uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol

The client and server don't support a common SSL protocol version or cipher suite.

----

Happy to troubleshoot if there is anything I can provide.