Google Chrome error code


#1

Hi,

I have a problem with a specific domain and when I put the Let’s encrypt certificate ON. I can reach the website in Safari but not on chrome. The following message appear: ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY.

My domain is: https://wimcon.se/

I ran this command: sudo ee site update www.wimcon.se --letsencrypt=on

It produced this output: ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

My web server is (include version): Ubuntu 16.04 LTS Linux, Ngnx.

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Wordpress

Thanks!


#2

https://tools.ietf.org/html/rfc7540#appendix-A

Check your nginx configuration for ciphersuites (ssl_ciphers) from that list, and remove them. Specifically your srever seems to advertise support for:

  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA

If your nginx is not configured with any ciphersuites, use https://mozilla.github.io/server-side-tls/ssl-config-generator/ to configure them.

Edit: The nginx versions of those ciphers are:

  • AES256-GCM-SHA384
  • AES128-SHA

so look for those.


#3

Thanks for a quick reply. Which command should I use to configure the ciphersuites?


#4

What’s this show:

sudo grep -R -A1 -B1 -i "ssl_ciphers" /etc/nginx/

#5

Thanks again: is get my the following:

/etc/nginx/nginx.conf- ssl_prefer_server_ciphers on;
/etc/nginx/nginx.conf: ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHADHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!ECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
/etc/nginx/nginx.conf- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

/etc/nginx/sites-available/default- # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
/etc/nginx/sites-available/default: # ssl_ciphers HIGH:!aNULL:!MD5;
/etc/nginx/sites-available/default- # ssl_prefer_server_ciphers on;

/etc/nginx/sites-enabled/default- # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
/etc/nginx/sites-enabled/default: # ssl_ciphers HIGH:!aNULL:!MD5;
/etc/nginx/sites-enabled/default- # ssl_prefer_server_ciphers on;


#6

Replace that line with

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

then restart nginx.


#7

Which command should I use to replace the line?


#8

Use a text editor. If you don’t know how to use a text editor, then you can try this all-in-one:

sed -i 's/ssl_ciphers E.*/ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:\!DSS";/'  /etc/nginx/nginx.conf

but I can’t guarantee it’ll do exactly the right thing to your files.


#9

I can use a text editor. But where should I replace the line? I use terminal and I can’t change anything without a config command?


#10

Open /etc/nginx/nginx.conf in a text editor, find the existing line that starts with ssl_ciphers E…, replace it with line I suggested, save the file.


#11

Ok. But in FTP then?


#12

Whatever you want. There are terminal-based text editors like nano and vi, which is what most people do, but FTP is a fine method too.


#13

I have edited the file now:

/etc/nginx/nginx.conf- ssl_prefer_server_ciphers on;
/etc/nginx/nginx.conf: ssl_ciphers ‘ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS’;
/etc/nginx/nginx.conf-

/etc/nginx/sites-available/default- # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
/etc/nginx/sites-available/default: # ssl_ciphers HIGH:!aNULL:!MD5;
/etc/nginx/sites-available/default- # ssl_prefer_server_ciphers on;

/etc/nginx/sites-enabled/default- # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
/etc/nginx/sites-enabled/default: # ssl_ciphers HIGH:!aNULL:!MD5;
/etc/nginx/sites-enabled/default- # ssl_prefer_server_ciphers on;

But it still now working. Can have anything with this: https://www.ssllabs.com/ssltest/analyze.html?d=www.wimcon.se


#14

Did you remember to restart nginx after modifying the file?


#15

Not only Chrome, Firefox also doesn’t allow a visit. IE11 and Edge are showing the page and accepts the weak Cipher Suites.

Good to know, thanks for this information.


#16

Voila! Now it works. Can I use the ciphers on all servers or is this unique for just this domain? I have the same setup on other servers.

Thanks so much for your patience and help!


#17

Cipher Suites are universal. You can use the same set everywhere.

But now you have some mixed content warnings to fix. FireFox or Chrome, Ctrl + Shift + i, then select the console.

There are addresses like

http://www.wimcon.se/wp-content/uploads/2018/

you should change these to https


#18

Yes. I now. I will fix those. Thanks for the heads up anyway!


#19

One last question. Can you delete those Cipher Suites that are weak? See attached image.

Thanks again!


#20

You may have been looking at cached test results. Your domain’s results look more like this:

The weak ciphersuites are actually not a problem, as long as they’re at the bottom of the list. If you want to get rid of them, you can find what the OpenSSL names of the weak cipersuites from Qualys SSL Labs test relate to on https://www.openssl.org/docs/man1.0.2/apps/ciphers.html , and then remove them from your string. However, it’s not a great idea if you don’t know what you’re doing and not really necessary.

You can also use the “modern” nginx configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/ , which will have less “weak” ciphersuites. But this will reduce compatibility with older devices and operating systems.