Browser Error: SSL Version or Cipher Mismatch


#1

Greetings,

I’ve been trying to troubleshoot this browser error for the last couple of days to no avail. The actual error in Chrome is: ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

The results from here:
https://www.ssllabs.com/ssltest/analyze.html?d=mail.bigmediaprinting.online
show numerous failed handshakes for some browsers.

Running this command:
certbot certificates

Gave this result:
Found the following certs: Certificate Name: bigmediaprinting.online Domains: www.bigmediaprinting.online bigmediaprinting.online mail.bigmediaprinting.online Expiry Date: 2018-07-22 19:04:06+00:00 (VALID: 82 days) Certificate Path: /etc/letsencrypt/live/bigmediaprinting.online/fullchain.pem Private Key Path: /etc/letsencrypt/live/bigmediaprinting.online/privkey.pem Certificate Name: mail.bigmediaprinting.online Domains: mail.bigmediaprinting.online Expiry Date: 2018-07-30 16:08:21+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/mail.bigmediaprinting.online/fullchain.pem Private Key Path: /etc/letsencrypt/live/mail.bigmediaprinting.online/privkey.pem

There two certs as a result of troubleshooting. Let me know if there’s anything else I can provide. Any help would be greatly appreciated!

Additional Information:
My domain is: mail.bigmediaprinting.online

My web server is: nginx/1.13.12

The operating system my web server runs on is: Ubuntu 16.04.4

My hosting provider is: A2 Hosting

I can login to a root shell on my machine: Yes

I’m using a control panel to manage my site: No


#2

Hi @andrew_bmp,

Seems your cipher list is a bit… aggressive :wink:

Maybe you could try to use this cipher list in your nginx conf:

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

Cheers,
sahsanu


#3

Chrome doesn’t support secp521r1 (P-521) ECDH.

https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=57&platform=Win%207&key=141

You need to enable X25519, P-256 and/or P-384.


#4

Wow, great. It’s working! Thanks a lot; I didn’t fully understand that option.


#5

Thank you, I made the changes.


#6

It seems that you are truly concerned about making your site as secure as possible.
If so, you might want to:
Increase the cert key size from RSA 2048 bits to RSA 4096 bits
Provide and prefer an ECDSA cert with 384 bits
Enable CHACHA20-POLY1305 cipher
Enable CAA

and for more pointers you can read through https://gist.github.com/atoponce/07d8d4c833873be2f68c34f9afc5a78a


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.