Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firefox throwing SSl_error_no_cypher_overlap error #1216

Open
fuzzball1980 opened this Issue Oct 19, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@fuzzball1980
Copy link

fuzzball1980 commented Oct 19, 2018

Hi guys! I have been asked to disable TLSv1 TLSv1.1 on my site

I have been able to do it adding the following config on the cipher list

vserver!21!ssl_ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:!ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:!DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DHE-RSA-CAMELLIA256-SHA:!AES256-SHA:!CAMELLIA256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!AES128-SHA:!CAMELLIA128-SHA:!EDH-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:HIGH:!SSLv2:!DESede:!SSLv3

The problem is that on last Firefox version on Windows and Linux (not in Macos) I got the SSl_error_no_cypher_overlap error.

So I enabled TLSv1 and TLSv1.1 made a sslscan on my site and started to denied one by one the ciphers on TLSv1 and TLSv1.1 to find the one used by Firefox and I got this list that works on FF in linux and Windows.

Supported Server Cipher(s):
Preferred TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits
Accepted TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-SHA256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 112 bits DES-CBC3-SHA
Preferred TLSv1.1 112 bits DES-CBC3-SHA
Preferred TLSv1.0 112 bits DES-CBC3-SHA
Preferred SSLv3 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 256 bits CAMELLIA256-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits CAMELLIA128-SHA
Accepted SSLv3 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits
Accepted SSLv3 112 bits DES-CBC3-SHA

So, If I disable DES-CBC3-SHA I got the SSL_no_cipher_overlap error, looks like FF is not supporting TLSv1.2 by default or cant find any other matching cipher.

Any idea?

Thank you very much!
Cesar.-

@skinkie

This comment has been minimized.

Copy link
Member

skinkie commented Oct 19, 2018

Sadly I can't reason what Mozilla is developing. Have you asked support by them too?

@fuzzball1980

This comment has been minimized.

Copy link
Author

fuzzball1980 commented Oct 19, 2018

Nop, my bad. I will ask them right now, Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.