Error:ssl_error_no_cypher_overlap


#1

Hello,

We setup wildcard by acme.sh, it works well for several months.

But since last week, it suddenly show ERROR at frontend: "SSL_ERROR_NO_CYPHER_OVERLAP "

I am quite confused by this issue since we did not touch the server end.

Here are some improper information after I test our domain at: https://www.ssllabs.com/ssltest/index.html

l

l

l

l

So, What might be the reason please?

Thanks.


#2

ACME.sh doesn’t modify ciphers.
LE doesn’t modify ciphers.
Certificates don’t modify ciphers.

Chrome 70 accepts TLSv1.3 RFC - does your site attempt to provide TLSv1.3? If so, which draft/version?

You don’t really provide enough information for anyone to be sure on what the problem is…
You could start by listing an FQDN that displays this type of problem/behavior.


#3

it seems related to nginx updated nginx ciphers_suite setting in /etc/nginx/nginx.conf

https://mozilla.github.io/server-side-tls/ssl-config-generator/

but I do not know how to emerge the new settings into the older nigin.conf, do you know how to do it please?

there are two conf files, which one I should touch please?

,Thanks


#4

Hi @Alexlii! I think it will be much easier for us to help you if you tell us your domain name. Without that we will only be guessing.

Thanks,
Jacob


#5

Hi @jsha @rg305

oh, Sorry, here is our domain

www.lovcour.com

or any other subdomain:

forum.lovcour.com

Thanks.


#6

Please better explain how/where you get his error message:

Perhaps your clients do not support the protocols/ciphers shown:
https://www.ssllabs.com/ssltest/analyze.html?d=www.lovcour.com
https://www.ssllabs.com/ssltest/analyze.html?d=forum.lovcour.com

Both show TLSv1.2 ONLY with:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)


#7

I am using Mac, it works well in Safari and chrome, but does not work in Firefox.

in Windows, I found it does not work in all browsers.

And also our users show the same issue, what about your end please?


#8

Both work from my system.
Show this page result from a system that has the problem:
https://www.ssllabs.com/ssltest/viewMyClient.html


#9

since our server is deployed with Easy Engine, so I also posted at https://community.easyengine.io/t/error-ssl-error-no-cypher-overlap/11356/3

and an expert said will should touch this one:
https://mozilla.github.io/server-side-tls/ssl-config-generator/


#10

You need to match the clients capabilities:
Show: https://www.ssllabs.com/ssltest/viewMyClient.html

Or, update the client to match the server:
TLSv1.2 ONLY with:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)


#11

#12

You accessed our site before, maybe you already ignore the security warning.

how should we handle it please?


#13

That client supports all five of the server ciphers…
They should be able to communicate securely.
Please show a screenshot of the message - where it happens.


#14

#15

I do get an error when using:
curl -Ik https://www.lovcour.com/

which returns:
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

I’ll try to find more information on that.

I think SNI requires a TLS connection before making a specific URL request.
But it seems the default site may be setup in a way that conflicts with modern requirements. [It may be set to use SSLv3 or RC4 only.]
So they can’t communicate; even though the vhost config is set properly.
You need to check all vhost configs - especially the default/first vhost for port 443.


#16

Sorry, I should send you the compatible test in Firefox:


#17

Please show the default/first vhost for port 443


#18

oh, how should I show? by linux comment line?


#19

If it is longer than one screen, maybe save file and upload it.
If it fits in one screen, you can just get a shot of it.


#20

what is the command line to show it please?