root@101:~# grep -Eri 'ssl_cipher' /etc/nginx/
/etc/nginx/nginx.conf.default: # ssl_ciphers HIGH:!aNULL:!MD5;
/etc/nginx/sites-available/default: # ssl_ciphers HIGH:!aNULL:!MD5;
/etc/nginx/nginx.conf: ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
root@101:~#
Does NOT support TLSv1.3
Upgrade to OpenSSL 1.1.1
or change:
TO:
/etc/nginx/nginx.conf: ssl_protocols TLSv1.2;
2 Likes
root@101:~# grep -Eri 'ssl_cipher' /var/www/
/var/www/22222/htdocs/db/pma/doc/config.rst: :config:option:$cfg['Servers'][$i]['ssl_ciphers'],
/var/www/22222/htdocs/db/pma/doc/config.rst: :config:option:$cfg['Servers'][$i]['ssl_ciphers'],
/var/www/22222/htdocs/db/pma/doc/config.rst: :config:option:$cfg['Servers'][$i]['ssl_ciphers'],
/var/www/22222/htdocs/db/pma/doc/config.rst: :config:option:$cfg['Servers'][$i]['ssl_ciphers'],
/var/www/22222/htdocs/db/pma/doc/config.rst: :config:option:$cfg['Servers'][$i]['ssl_ciphers'],
/var/www/22222/htdocs/db/pma/doc/config.rst:.. config:option:: $cfg['Servers'][$i]['ssl_ciphers']
/var/www/22222/htdocs/db/pma/doc/config.rst: :config:option:$cfg['Servers'][$i]['ssl_ciphers'],
/var/www/22222/htdocs/db/pma/doc/config.rst: :config:option:$cfg['Servers'][$i]['ssl_ciphers'],
/var/www/22222/htdocs/db/pma/doc/setup.rst: :config:option:$cfg['Servers'][$i]['ssl_ciphers'],
/var/www/22222/htdocs/db/pma/libraries/dbi/dbi_dummy.inc.php: 'Master_SSL_Cipher' => 'Master_SSL_Cipher',
/var/www/22222/htdocs/db/pma/libraries/config.default.php: * @global string $cfg['Servers'][$i]['ssl_ciphers']
/var/www/22222/htdocs/db/pma/libraries/config.default.php:$cfg['Servers'][$i]['ssl_ciphers'] = null;
/var/www/22222/htdocs/db/pma/libraries/replication.inc.php: 'Master_SSL_Cipher',
/var/www/22222/htdocs/db/pma/libraries/classes/Controllers/Server/ServerVariablesController.php: $variable_doc_links['ssl_cipher'] = array(
/var/www/22222/htdocs/db/pma/libraries/classes/Controllers/Server/ServerVariablesController.php: 'ssl_cipher',
/var/www/22222/htdocs/db/pma/libraries/classes/Server/Privileges.php: 'name' => 'ssl_cipher',
/var/www/22222/htdocs/db/pma/libraries/classes/Server/Privileges.php: 'value' => (isset($row['ssl_cipher'])
/var/www/22222/htdocs/db/pma/libraries/classes/Server/Privileges.php: ? htmlspecialchars($row['ssl_cipher']) : ''
/var/www/22222/htdocs/db/pma/libraries/classes/Server/Privileges.php: if (! empty($arr['ssl_cipher'])) {
/var/www/22222/htdocs/db/pma/libraries/classes/Server/Privileges.php: . $GLOBALS['dbi']->escapeString($arr['ssl_cipher']) . "'";
/var/www/22222/htdocs/db/pma/libraries/classes/Dbi/DbiMysqli.php: ! empty($server['ssl_ciphers'])
/var/www/22222/htdocs/db/pma/libraries/classes/Dbi/DbiMysqli.php: $server['ssl_ciphers']
/var/www/22222/htdocs/db/pma/libraries/classes/DatabaseInterface.php: 'ssl_ca_path', 'ssl_ciphers', 'ssl_verify',
/var/www/22222/htdocs/db/pma/libraries/classes/Plugins/Auth/AuthenticationCookie.php: return openssl_cipher_iv_length('AES-128-CBC');
/var/www/22222/htdocs/db/pma/templates/privileges/require_options.twig: {% if require_option['name'] is same as('ssl_cipher') %}
/var/www/22222/htdocs/db/pma/vendor/phpmyadmin/sql-parser/src/Contexts/ContextMySql50100.php: 'MASTER_SSL_CAPATH' => 1, 'MASTER_SSL_CIPHER' => 1, 'SQL_BUFFER_RESULT' => 1,
/var/www/22222/htdocs/db/pma/vendor/phpmyadmin/sql-parser/src/Contexts/ContextMariaDb100100.php: 'MASTER_SSL_CAPATH' => 1, 'MASTER_SSL_CIPHER' => 1, 'RETURNED_SQLSTATE' => 1,
/var/www/22222/htdocs/db/pma/vendor/phpmyadmin/sql-parser/src/Contexts/ContextMariaDb100000.php: 'MASTER_SSL_CIPHER' => 1, 'SQL_BUFFER_RESULT' => 1,
/var/www/22222/htdocs/db/pma/vendor/phpmyadmin/sql-parser/src/Contexts/ContextMySql50500.php: 'MASTER_SSL_CIPHER' => 1, 'SQL_BUFFER_RESULT' => 1,
/var/www/22222/htdocs/db/pma/vendor/phpmyadmin/sql-parser/src/Contexts/ContextMySql80000.php: 'MASTER_SSL_CAPATH' => 1, 'MASTER_SSL_CIPHER' => 1, 'RETURNED_SQLSTATE' => 1,
/var/www/22222/htdocs/db/pma/vendor/phpmyadmin/sql-parser/src/Contexts/ContextMySql50600.php: 'MASTER_SSL_CIPHER' => 1, 'RETURNED_SQLSTATE' => 1, 'SQL_BUFFER_RESULT' => 1,
/var/www/22222/htdocs/db/pma/vendor/phpmyadmin/sql-parser/src/Contexts/ContextMySql50700.php: 'MASTER_SSL_CAPATH' => 1, 'MASTER_SSL_CIPHER' => 1, 'RETURNED_SQLSTATE' => 1,
/var/www/22222/htdocs/db/pma/vendor/phpmyadmin/sql-parser/src/Contexts/ContextMySql50000.php: 'MASTER_SSL_CAPATH' => 1, 'MASTER_SSL_CIPHER' => 1, 'SQL_BUFFER_RESULT' => 1,
/var/www/22222/htdocs/db/pma/vendor/phpmyadmin/sql-parser/src/Contexts/ContextMariaDb100300.php: 'MASTER_SSL_CAPATH' => 1, 'MASTER_SSL_CIPHER' => 1, 'RETURNED_SQLSTATE' => 1,
/var/www/22222/htdocs/db/pma/vendor/phpmyadmin/sql-parser/src/Contexts/ContextMariaDb100200.php: 'MASTER_SSL_CAPATH' => 1, 'MASTER_SSL_CIPHER' => 1, 'RETURNED_SQLSTATE' => 1,
/var/www/22222/htdocs/db/pma/vendor/tecnickcom/tcpdf/include/tcpdf_static.php: $iv = openssl_random_pseudo_bytes (openssl_cipher_iv_length('aes-256-cbc'));
/var/www/22222/htdocs/db/pma/vendor/tecnickcom/tcpdf/include/tcpdf_static.php: $iv = str_repeat("\x00", openssl_cipher_iv_length('aes-256-cbc'));
/var/www/22222/htdocs/db/pma/test/classes/ReplicationGuiTest.php: 'Master_SSL_Cipher',
/var/www/lovcour.com/htdocs/wp-content/plugins/wp-file-manager/lib/codemirror/mode/nginx/index.html: ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
/var/www/lovcour.com/htdocs/wp-content/plugins/wp-file-manager/lib/codemirror/mode/nginx/nginx.js: /* ngxDirective */ " accept_mutex accept_mutex_delay access_log add_after_body add_before_body add_header addition_types aio alias allow ancient_browser ancient_browser_value auth_basic auth_basic_user_file auth_http auth_http_header auth_http_timeout autoindex autoindex_exact_size autoindex_localtime charset charset_types client_body_buffer_size client_body_in_file_only client_body_in_single_buffer client_body_temp_path client_body_timeout client_header_buffer_size client_header_timeout client_max_body_size connection_pool_size create_full_put_path daemon dav_access dav_methods debug_connection debug_points default_type degradation degrade deny devpoll_changes devpoll_events directio directio_alignment empty_gif env epoll_events error_log eventport_events expires fastcgi_bind fastcgi_buffer_size fastcgi_buffers fastcgi_busy_buffers_size fastcgi_cache fastcgi_cache_key
both way will resolve it, right?
Yes, but upgrading to 1.1.1 is not easy today [that may require compiling OpenSSL from source].
Try:
apt-get update
apt-get install openssl
[when that completes, then]
openssl version
If it is still 1.1.0h then, do option #2 [which is more likely to work now]:
2 Likes
ok, let me thinkâŚ
I think this probably doesnât have anything to do with your server, but might have something to do with interference from your network provider.
On Chrome 70, I get ERR_SSL_VERSION_INTERFERENCE accessing your site. If I turn off TLS 1.3 support, I can access your site.
TLS 1.3 is the newest version of TLS, and itâs supported by the newest versions of Chrome. However, thereâs sometimes a problem with using TLS 1.3. There are devices on some networks called âmiddleboxesâ that attempt to intercept TLS traffic for various reasons*. Often those middleboxes hard-code specific aspects of TLS, like handling the version number. When a browser, like Chrome or Firefox, sends the new â1.3â version as part of the handshake, those middleboxes cause problems in various ways, resulting in ERR_SSL_VERSION_INTERFERENCE.
Unfortunately, thereâs nothing you can change in your server config to fix this. You should ask your network provider if they use a TLS-intercepting middlebox. If so, you should tell them that it is causing problems with the latest version of Chrome using TLS 1.3, and ask if they can turn it off. If not, you may need to find a different network provider or hosting provider.
*Usually these also rely on people having a special root certificate installed in their operating system, and generate fake end-entity certificates from it. That doesnât seem to be happening here, but there may be a middlebox used for a different purpose.
2 Likes
The version of OpenSSL in use doesnât not support TLSv1.3
He needs to remove the 1.3 ciphers or the protocol or both.
The NGINX can handle 1.3 and tries to do so.
Apparently even SSL Labs (SSL Report v1.32.12) doesnât âcheckâ for this case; it doesnât show 1.3 as enabled.
Because it ISNâT enabledâŚ
But it IS enabled; it just doesnât work!
2 Likes
@rg305, I'm fairly confident that your interpretation is wrong. If Nginx is configured with TLSv1.2 and TLSv1.3, but loads an OpenSSL module that doesn't support 1.3, it will simply configure OpenSSL to handle TLSv1.2 and nothing else. I don't think there's a configuration of Nginx and OpenSSL that can produce this particular error message.
If you check the Chrome source, you'll see that ERR_SSL_VERSION_INTERFERENCE is specifically meant to indicate middlebox interference: https://cs.chromium.org/chromium/src/net/http/http_network_transaction.cc?q=ERR_SSL_VERSION_INTERFERENCE&sq=package:chromium&dr=C&l=846-849.
3 Likes
You may be rightâŚ
I may be crazyâŚ
It will take some time to replicate his setup.
But I will get to the bottom of this.
I concede.
This appears to be another Great (fire)Wall of China situation.
3 Likes
The closest I can come to duplicating this error is:
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
using:
OpenSSL 1.1.0g
NGINX 1.15.6
2 Likes
You should NOT have to enable any weak protocols nor any weak ciphers.
If that is the only way to get this to work, then that is a choice you have to make.
I would like to see it secured without any weakness.
2 Likes
oh⌠I got what you mean.
For those that may read this later, please show the changes you made to get this working.
2 Likes
FYI, Iâve filed an issue to notify the Chrome team about this example, since they may want to know what types of middleboxes (or, less likely, web server configurations) trigger this error: https://bugs.chromium.org/p/chromium/issues/detail?id=906394.
4 Likes
Thanks both of you.
When I post here, I also post at https://community.easyengine.io/t/error-ssl-error-no-cypher-overlap/11356/2, since we used Easyengine and deployed our wordpress project, and I asked a guy who are good at Easyengine to resolved this issue, unfortunately, I really do not know how he resolve it.
but if you want to check the configuration, I am glad to show you per your instructions or command lines.
Thanks again.
Alex
Please show:
openssl version
grep -Eri 'listen|ssl_cipher|ssl_protocol' /etc/nginx/
2 Likes
root@101:~# openssl version
OpenSSL 1.1.0h 27 Mar 2018 (Library: OpenSSL 1.1.1 11 Sep 2018)
root@101:~#
root@101:~# grep -Eri 'listen|ssl_cipher|ssl_protocol' /etc/nginx/
/etc/nginx/conf.d/force-ssl-hdfctutorials.com.conf.disabled: listen 80;
/etc/nginx/conf.d/force-ssl-lovcour.com.conf: listen 80;
/etc/nginx/conf.d/force-ssl-lovcour.com.conf: listen 80;
/etc/nginx/conf.d/force-ssl-lovcour.com.conf: listen 80;
/etc/nginx/conf.d/force-ssl-lovcour.com.conf: listen 80;
/etc/nginx/sites-available/22222: listen 22222 default_server ssl http2;
/etc/nginx/sites-available/default: listen 80 default_server;
/etc/nginx/sites-available/default: listen [::]:80 default_server;
/etc/nginx/sites-available/default: # listen 443 ssl default_server;
/etc/nginx/sites-available/default: # listen [::]:443 ssl default_server;
/etc/nginx/sites-available/default: # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # donât use SSLv3 ref: POODLE
/etc/nginx/sites-available/default: # ssl_ciphers HIGH:!aNULL:!MD5;
/etc/nginx/sites-available/default: # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
/etc/nginx/sites-available/default:# listen 80;
/etc/nginx/sites-available/default:# listen [::]:80;
/etc/nginx/sites-available/lovcour.com: # listen 80 default_server;
/etc/nginx/nginx.conf: ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
/etc/nginx/nginx.conf: ssl_ciphers 'TLS13+AESGCM+AES128:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
/etc/nginx/nginx.conf:# listen localhost:110;
/etc/nginx/nginx.conf:# listen localhost:143;
root@101:~#