Hello,
We setup wildcard by acme.sh, it works well for several months.
But since last week, it suddenly show ERROR at frontend: "SSL_ERROR_NO_CYPHER_OVERLAP "
I am quite confused by this issue since we did not touch the server end.
Here are some improper information after I test our domain at: https://www.ssllabs.com/ssltest/index.html
l
l
l
l
So, What might be the reason please?
Thanks.
ACME.sh doesn’t modify ciphers.
LE doesn’t modify ciphers.
Certificates don’t modify ciphers.
Chrome 70 accepts TLSv1.3 RFC - does your site attempt to provide TLSv1.3? If so, which draft/version?
You don’t really provide enough information for anyone to be sure on what the problem is…
You could start by listing an FQDN that displays this type of problem/behavior.
it seems related to nginx updated nginx ciphers_suite setting in /etc/nginx/nginx.conf
https://mozilla.github.io/server-side-tls/ssl-config-generator/
but I do not know how to emerge the new settings into the older nigin.conf, do you know how to do it please?
there are two conf files, which one I should touch please?
,Thanks
Hi @Alexlii! I think it will be much easier for us to help you if you tell us your domain name. Without that we will only be guessing.
Thanks,
Jacob
oh, Sorry, here is our domain
or any other subdomain:
Thanks.
Please better explain how/where you get his error message:
Perhaps your clients do not support the protocols/ciphers shown:
https://www.ssllabs.com/ssltest/analyze.html?d=www.lovcour.com
https://www.ssllabs.com/ssltest/analyze.html?d=forum.lovcour.com
Both show TLSv1.2 ONLY with:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
I am using Mac, it works well in Safari and chrome, but does not work in Firefox.
in Windows, I found it does not work in all browsers.
And also our users show the same issue, what about your end please?
Both work from my system.
Show this page result from a system that has the problem:
https://www.ssllabs.com/ssltest/viewMyClient.html
since our server is deployed with Easy Engine, so I also posted at https://community.easyengine.io/t/error-ssl-error-no-cypher-overlap/11356/3
and an expert said will should touch this one:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
You need to match the clients capabilities:
Show: https://www.ssllabs.com/ssltest/viewMyClient.html
Or, update the client to match the server:
TLSv1.2 ONLY with:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
You accessed our site before, maybe you already ignore the security warning.
how should we handle it please?
That client supports all five of the server ciphers…
They should be able to communicate securely.
Please show a screenshot of the message - where it happens.
I do get an error when using:
curl -Ik https://www.lovcour.com/
which returns:
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
I’ll try to find more information on that.
I think SNI requires a TLS connection before making a specific URL request.
But it seems the default site may be setup in a way that conflicts with modern requirements. [It may be set to use SSLv3 or RC4 only.]
So they can’t communicate; even though the vhost config is set properly.
You need to check all vhost configs - especially the default/first vhost for port 443.
Please show the default/first vhost for port 443
oh, how should I show? by linux comment line?
If it is longer than one screen, maybe save file and upload it.
If it fits in one screen, you can just get a shot of it.
what is the command line to show it please?
