Browser Error: SSL Version or Cipher Mismatch

andrew_bmp · May 1, 2018, 6:00pm

Greetings,

I’ve been trying to troubleshoot this browser error for the last couple of days to no avail. The actual error in Chrome is: ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

The results from here:
https://www.ssllabs.com/ssltest/analyze.html?d=mail.bigmediaprinting.online
show numerous failed handshakes for some browsers.

Running this command:
certbot certificates

Gave this result:
Found the following certs: Certificate Name: bigmediaprinting.online Domains: www.bigmediaprinting.online bigmediaprinting.online mail.bigmediaprinting.online Expiry Date: 2018-07-22 19:04:06+00:00 (VALID: 82 days) Certificate Path: /etc/letsencrypt/live/bigmediaprinting.online/fullchain.pem Private Key Path: /etc/letsencrypt/live/bigmediaprinting.online/privkey.pem Certificate Name: mail.bigmediaprinting.online Domains: mail.bigmediaprinting.online Expiry Date: 2018-07-30 16:08:21+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/mail.bigmediaprinting.online/fullchain.pem Private Key Path: /etc/letsencrypt/live/mail.bigmediaprinting.online/privkey.pem

There two certs as a result of troubleshooting. Let me know if there’s anything else I can provide. Any help would be greatly appreciated!

Additional Information:
My domain is: mail.bigmediaprinting.online

My web server is: nginx/1.13.12

The operating system my web server runs on is: Ubuntu 16.04.4

My hosting provider is: A2 Hosting

I can login to a root shell on my machine: Yes

I’m using a control panel to manage my site: No

sahsanu · May 1, 2018, 6:42pm

Hi @andrew_bmp,

Seems your cipher list is a bit… aggressive

Maybe you could try to use this cipher list in your nginx conf:

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

Cheers,
sahsanu

mnordhoff · May 1, 2018, 7:09pm

Chrome doesn’t support secp521r1 (P-521) ECDH.

https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=57&platform=Win%207&key=141

You need to enable X25519, P-256 and/or P-384.

andrew_bmp · May 1, 2018, 7:34pm

Wow, great. It’s working! Thanks a lot; I didn’t fully understand that option.

andrew_bmp · May 1, 2018, 7:35pm

Thank you, I made the changes.

rg305 · May 2, 2018, 12:21am

It seems that you are truly concerned about making your site as secure as possible.
If so, you might want to:
Increase the cert key size from RSA 2048 bits to RSA 4096 bits
Provide and prefer an ECDSA cert with 384 bits
Enable CHACHA20-POLY1305 cipher
Enable CAA

and for more pointers you can read through https://gist.github.com/atoponce/07d8d4c833873be2f68c34f9afc5a78a

system · June 1, 2018, 12:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error on browser err-ssl-version-or-cipher-mismatch Help	3	3037	November 14, 2017
Need help, got error ERR SSL VERSION OR CIPHER MISMATCH when accessing my domain Server	3	7960	August 23, 2017
I keep getting this error in Chrome even with SSLv3 disabled Server	18	6958	March 3, 2017
Google Chrome error code Help	21	2152	August 16, 2018
Renewed certificates are not working Help	8	774	March 9, 2023

Browser Error: SSL Version or Cipher Mismatch

Related topics