I get ssl_error_no_cypher_overlap error accessing our internal web sites. It works on FF 24.8.1 but I get error with 38.3. Verified no chages in about:config
It works on IE and FF 24.8.1 but I get error with 38.3.
I have verified there are no chages in about:config.
I have tried to change the enforcement (security.cert_pinning.enforcement_level) to 0 and it did not work. Set it back to 1.
IE and FF 24.8.1 both ask to add the exception. FF 38.3 does not.
I am running on Win2008 R2.
Alle Antworten (20)
Since we can't get hands on with this site...
I assume all Firefox users get this on the internal sites, even with newer and non-server versions of Windows?
If you open Firefox's Web Console in the lower part of the tab, either
- Ctrl+Shift+k or
- "3-bar" menu button > Developer > Web Console
then reload the error page, does the console provide any additional detail about the problem?
And/or, do you have Google Chrome installed? If you visit the site in Google Chrome, click the padlock icon in the address bar, and then "Connection" on the drop-down panel, could you post its diagnosis of the strength of the site's security? That may flag up an issue that Firefox is not explaining as well as it could.
What connection settings are used if you check the Security tab in the Network Monitor (3-bar Menu button or Tools > Web Developer) in Firefox 38?
Nothing shows up in the Console window
I do not get the "Security Tab".
We are not allowed to load Google Chrome. :-(
dooley0008 said
I do not get the "Security Tab".
The security tab should appear on the right side (after various other tabs such as Rules, Computed...) if you click an HTTPS connection in the Network Monitor. (It was added in Firefox 37, so should be in your version.) If that connection does not appear, try reloading the page in the top part of the tab.
I did that with the same result. See pic.
But if you click that row, no Security tab appears on the right?
Also, you may want to edit that image since it lists the server address in the blue title bar area.
The Security tab is only there if you connect via a secure HTTPS connection and not if you use an open HTTP connection.
An error occurred during a connection to east-web.mt.att.com:9443.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
I over layed the address with the name on the pic and messages. Thanks for thinking about that.
I did not click on the line. Once I did it appeared.
jscher - do you want a private conversation? I may be able to show you my screen.
Hmm, that doesn't tell us anything new.
If this is an old IIS server, it's possible that it only supports RC4 ciphers, which Firefox deprecated around the release of Firefox 38. What happens if you toggle this setting:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste rc4 and pause while the list is filtered
(3) Double-click the security.tls.unrestricted_rc4_fallback preference to switch it from the default value of false to true
You may need to clear cache before this takes effect on a server Firefox previously refused to connect to. See: How to clear the Firefox cache.
It was already set to "true" by default. All the rc4 options are true by default.
dooley0008 said
It was already set to "true" by default. All the rc4 options are true by default.
Hmm, that setting might be unique to the ESR release. (It's normal for the others to be true by default.)
There were just so many changes between Firefox 24 and 38, which was quite a while ago, so I can't remember all the possible fixes. Here's one I found in a search that made Firefox 37 behave more like Firefox 36 with the combination of TLS 1.0 + RC4 cipher:
(1) Copy the host name of the server address. This is the part between the https:// protocol and the next / character, and not including either of those.
(2) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(3) In the search box above the list, type or paste tls and pause while the list is filtered
(4) Double-click the security.tls.insecure_fallback_hosts preference to display a box where you can paste the copied host name. If you have something here already, add a comma at the end before pasting to separate the new host name from the previous name(s). Then click OK to save the change.
Then try reloading the site.
Same result
Here are the tls options
Does that server support TLS 1.0 and higher or only SSL3?
What does it say in "Tools > Page Info > Security" in Firefox 24?
The SSleuth works from Firefox 25 and later, so won't of much use either just like the Network Monitor.
Does Google Chrome work on your operating system?