20

My co-workers and I are having a problem using Firefox 3.0.6 to access a Java 1.6.0___11 web application we're developing. Everything works fine anywhere from 1-30 minutes into the session...but eventually, the connection fails and the following error appears:

Secure Connection Failed

An error occurred during a connection to 10.x.x.x.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

IE works fine. Firefox throws the error in both Windows and Fedora, so the problem doesn't appear to be tied to an OS. The Java EE application runs on a Tomcat 6.0.16 server. All pages are encrypted using TLS 1.0 through an Apache 2.2.8 HTTP server with mod_nss.

Our Apache server is configured to reject SSL 3.0 connections. One hypothesis we have is that Firefox might be trying to establish a SSL 3.0 connection...but why?

Based some Googling, we tried the following things, but without success:

  • using Firefox 2.x (some people reported instances where 2.x worked but 3.x didn't):

  • enabling SSL2

  • disabling SSL3

  • disabling OCSP (Tool > Options > Advanced > Encryption > Validation)

  • ensuring that the anti-virus/firewall of the client computer isn't blocking or scanning port 443 (https port)

Any ideas?

Improve this question
1
  • I am on Debian 7.9 and Firefox 38.7.1. Disabling OCSP (Preferences > Advanced > Certificates > Validation) worked for me. This problem is pretty commonly faced when accessing an internally developed Java web application. No one solution appears to work for all.
    – pdp
    Commented Mar 23, 2016 at 6:38

12 Answers 12

Reset to default
8

I had the same issue while renewing the certificate for our server at www.tpsynergy.com . After importing the new server certificate and restarting the tomcat, the error we were getting was ERR_SSL_VERSION_OR_CIPHER_MISMATCH. After lot of research, I used this link https://www.sslshopper.com/certificate-key-matcher.html to compare the csr (certificate signing request to the actual certificate). They both did not match. So I created a new csr and obtained a new certificate and installed the same. It worked.

So the full steps for the process are

  1. From the same server where the certificate will be installed, create CSR

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tpsynergy.keystore (change the domain name as needed)

While creating this, it will ask for first name and last name. Do not give your name, but use the domain name. For example I gave it as www.tpsynergy.com

2.keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tpsynergy.keystore

This will create a csr.csr file in the same folder. copy the contents of this to the godaddy site and create the new certificate.

  1. The downloaded certificate zip file will have three files gd_bundle-g2-g1.crt gdig2.crt youractualcert.crt

  2. You will need to download the root cert gdroot-g2.crt from godaddy repository.

  3. Copy all these files to the same directory from where you created the CSR file and where the keystore file is located.

  4. Now run the below commands one by one to import the certs into the keystore

    keytool -import -trustcacerts -alias root -file gd_bundle-g2-g1.crt -keystore tpsynergy.keystore

    keytool -import -trustcacerts -alias root2 -file gdroot-g2.crt -keystore tpsynergy.keystore

    keytool -import -trustcacerts -alias intermediate -file gdig2.crt -keystore tpsynergy.keystore

    keytool -import -trustcacerts -alias tomcat -file yourdomainfile.crt -keystore tpsynergy.keystore

  5. Ensure that server.xml file in conf folder has this entry

  6. Restart the tomcat

Improve this answer
6

Given what you've tried and the error messages, I'd say this was more to do with the exact cipher algorithm used rather than the TLS/SSL version. Are you using a non-Sun JRE by any chance, or a different vendor's security implementation? Try a different JRE/OS to test your server if you can. Failing that you might just be able to see what's going on with Wireshark (with a filter of 'tcp.port == 443').

Improve this answer
1
  • 1
    We were using an IBM VM, which does not seem to include any current TLS implementation. Switching to a Sun VM solved the problem. +1
    – Henning
    Commented Aug 18, 2010 at 10:52
4

If you review the process of SSL negotiation at Wikipedia, you will know that at the beginning ClientHello and ServerHello messages are sent between the browser and the server.

Only if the cyphers provided in ClientHello have overlapping items on the server, ServerHello message will contain a cypher that both sides support. Otherwise, SSL connection will not be initiated as there is no common cypher.

To resolve the problem, you need to install cyphers (usually at OS level), instead of trying hard on the browser (usually the browser relies on the OS). I am familiar with Windows and IE, but I know little about Linux and Firefox, so I can only point out what's wrong but cannot deliver you a solution.

Improve this answer
2

I had similar issues browsing to secure sites (https://) when using Burp (or at least an issue that would bring you to this page when searching Google):

  • ssl_error_no_cypher_overlap in Firefox
  • ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Chrome

It turned out to be an issue with using Java 8. When I switched to Java 7, the problem stopped.

Improve this answer
0

Under advanced settings of firefox you should be able to set the encryption. By default SSL3.0 and TLS1.0 should be checked, so if firefox is trying to create ssl 3.0 connectons try unchecking the ssl 3.0s setting.

if that doesn't work, try searching the about:config page for "ssl2" My Firefox has settings with ssl2 set to false by default...

Improve this answer
1
  • Tried disabling SSL 3.0, didn't work. All my ssl2 settings in about:config are set to false. I tried setting these all to true as well, but that didn't help either.
    – Michael
    Commented Feb 13, 2009 at 19:24
0

The first thing I would check is the config for mod_nss. It is the odd one out, for it is yours and there is none in the world like it :-) Whereas if there was some huge bug in Firefox or mod_nss itself, I guess you'd have found out about it by now in your google quest. The fact that you've fiddled with the config (e.g. disabling SSL3, and various other random tweaks), is also suspicious.

I'd back track to a very vanilla mod_nss config and see if that works. Then change things systematically towards your current config until you can reproduce the problem. By the sound of it the source of the error is somewhere in the cipher spec config of mod_nss and the related protocol negotiation stuff. So maybe you inadvertently changed something there when trying to turn off SSLv3 (incidentally, why disable SSL3? Normally people disable V2?).

One other thing to check is that you're on the latest mod_nss and it's not a known bug in that. The fact that it manages to start the session and then fails later is interesting - it suggests that maybe it is trying to renegotiate the session and failing to negotiate ciphers at that point. So it might be the symmetric ciphers. Or it could simply be an implementation bug in your version of mod_nss that somehow garbles the protocol.

One other idea, and this is a wild guess, is the browser is trying to resume a session which was negotiated with SSLv3 before you disabled it, and something breaks when trying to resume that session when V3 is turned off, or maybe mod_nss just doesn't implement it right.

The java/tomcat stuff seems like a red herring as unless I've misunderstood your description, none of that is involved in the SSL handshake/protocol.

Improve this answer
0

I had the same problem with a really old local router and was not able to open its WebGUI because of self-signed certificates. The solution was to install an old Firefox Portable version. I tested the following versions:

  • Firefox 33.1.1 (worked)
  • Firefox 45.0.2 (worked)
  • Firefox 56.0.2 (failed)

This is strange because it should be only a problem since version 59, but as long it works, it's ok for me.

Improve this answer
-1

If you get the no cipher overlap error on firefox, and you have left it at default settings, you are using what must be a very insecure site trying to use a very weak "export grade" cipher. Use of these ciphers is discouraged these days and I personally would stop using a site trying to use such a weak cipher.

Improve this answer
-2

I've had the same problem; to solve was enough to enable all the SSL schemas in "about:config". I was finding them by filtering with ssl. First I anabled all options for afret disabling the unnecessary ones.

Improve this answer
-2

"Error code: ssl_error_no_cypher_overlap" error message after login, when Welcome screen expected--using Firefox browser

Solution

Enable support for 40-bit RSA encryption in the Firefox Browser: 1: enter 'about:config' in Browser Address bar 2: find/select "security.ssl3.rsa_rc4_40_md5" 3: set boolean to TRUE

Improve this answer
-2

What worked for me is I:

  1. Went to about:config.
  2. Typed "security" in the search box.
  3. Set all of the returned entries to their defaults.
  4. Typed "ssl" in the search box.
  5. Set all of the returned results to their defaults.
  6. Enabled ssl2.
  7. Disabled ssl3.
  8. Restarted Firefox.

Note about restarting Firefox: When I do start it very soon after closing it, it often has a file access problem, which requires me to delete places.sqlite and places.sqlite-journal in C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\n18091xv.default. This causes me to lose my history, plus bookmarks have to be restored from a backup each time this happens. I wait from five to ten minutes or more to avoid this hassle.

Running Firefox v3.5.1 on WinMe

Improve this answer
-4

"Error code: ssl_error_no_cypher_overlap" error message after login, when Welcome screen expected--using Firefox browser Solution 1: enter 'about:config' in Browser Address bar 2: find/select "security.ssl3.rsa_rc4_40_md5" 3: set boolean to TRUE

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.