X
Tap here to go to the mobile version of the site.

Support Forum

I get ssl_error_no_cypher_overlap error accessing our internal web sites. It works on FF 24.8.1 but I get error with 38.3. Verified no chages in about:config

Posted

It works on IE and FF 24.8.1 but I get error with 38.3.

I have verified there are no chages in about:config.

I have tried to change the enforcement (security.cert_pinning.enforcement_level) to 0 and it did not work. Set it back to 1.

IE and FF 24.8.1 both ask to add the exception. FF 38.3 does not.

I am running on Win2008 R2.

It works on IE and FF 24.8.1 but I get error with 38.3. I have verified there are no chages in about:config. I have tried to change the enforcement (security.cert_pinning.enforcement_level) to 0 and it did not work. Set it back to 1. IE and FF 24.8.1 both ask to add the exception. FF 38.3 does not. I am running on Win2008 R2.

Additional System Details

Installed Plug-ins

  • ActiveTouch General Plugin Container Version 105
  • Adobe PDF Plug-In For Firefox and Netscape 10.1.15
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Next Generation Java Plug-in 11.60.2 for Mozilla browsers
  • The plugin allows you to have a better experience with Microsoft SharePoint
  • Shockwave Flash 19.0.0.185
  • VMware Remote Console Plug-in

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0

More Information

jscher2000
  • Top 10 Contributor
8706 solutions 71157 answers

Since we can't get hands on with this site...

I assume all Firefox users get this on the internal sites, even with newer and non-server versions of Windows?

If you open Firefox's Web Console in the lower part of the tab, either

  • Ctrl+Shift+k or
  • "3-bar" menu button > Developer > Web Console

then reload the error page, does the console provide any additional detail about the problem?

And/or, do you have Google Chrome installed? If you visit the site in Google Chrome, click the padlock icon in the address bar, and then "Connection" on the drop-down panel, could you post its diagnosis of the strength of the site's security? That may flag up an issue that Firefox is not explaining as well as it could.

Since we can't get hands on with this site... I assume all Firefox users get this on the internal sites, even with newer and non-server versions of Windows? If you open Firefox's Web Console in the lower part of the tab, either * Ctrl+Shift+k or * "3-bar" menu button > Developer > Web Console then reload the error page, does the console provide any additional detail about the problem? And/or, do you have Google Chrome installed? If you visit the site in Google Chrome, click the padlock icon in the address bar, and then "Connection" on the drop-down panel, could you post its diagnosis of the strength of the site's security? That may flag up an issue that Firefox is not explaining as well as it could.
cor-el
  • Top 10 Contributor
  • Moderator
17482 solutions 158023 answers

What connection settings are used if you check the Security tab in the Network Monitor (3-bar Menu button or Tools > Web Developer) in Firefox 38?

What connection settings are used if you check the Security tab in the Network Monitor (3-bar Menu button or Tools > Web Developer) in Firefox 38? *https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor#Security

Question owner

Nothing shows up in the Console window

Nothing shows up in the Console window

Question owner

I do not get the "Security Tab".

I do not get the "Security Tab".

Question owner

We are not allowed to load Google Chrome.  :-(

We are not allowed to load Google Chrome. :-(
jscher2000
  • Top 10 Contributor
8706 solutions 71157 answers

dooley0008 said

I do not get the "Security Tab".

The security tab should appear on the right side (after various other tabs such as Rules, Computed...) if you click an HTTPS connection in the Network Monitor. (It was added in Firefox 37, so should be in your version.) If that connection does not appear, try reloading the page in the top part of the tab.

''dooley0008 [[#answer-844954|said]]'' <blockquote> I do not get the "Security Tab". </blockquote> The security tab should appear on the right side (after various other tabs such as Rules, Computed...) if you click an HTTPS connection in the Network Monitor. (It was added in Firefox 37, so should be in your version.) If that connection does not appear, try reloading the page in the top part of the tab.

Question owner

I did that with the same result. See pic.

I did that with the same result. See pic.
jscher2000
  • Top 10 Contributor
8706 solutions 71157 answers

But if you click that row, no Security tab appears on the right?

Also, you may want to edit that image since it lists the server address in the blue title bar area.

But if you click that row, no Security tab appears on the right? Also, you may want to edit that image since it lists the server address in the blue title bar area.
cor-el
  • Top 10 Contributor
  • Moderator
17482 solutions 158023 answers

The Security tab is only there if you connect via a secure HTTPS connection and not if you use an open HTTP connection.

The Security tab is only there if you connect via a secure HTTPS connection and not if you use an open HTTP connection.

Question owner

An error occurred during a connection to east-web.mt.att.com:9443.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

An error occurred during a connection to east-web.mt.att.com:9443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

Question owner

I over layed the address with the name on the pic and messages. Thanks for thinking about that.

I over layed the address with the name on the pic and messages. Thanks for thinking about that.

Question owner

I did not click on the line. Once I did it appeared.

I did not click on the line. Once I did it appeared.

Question owner

jscher - do you want a private conversation? I may be able to show you my screen.

jscher - do you want a private conversation? I may be able to show you my screen.
jscher2000
  • Top 10 Contributor
8706 solutions 71157 answers

Helpful Reply

Hmm, that doesn't tell us anything new.

If this is an old IIS server, it's possible that it only supports RC4 ciphers, which Firefox deprecated around the release of Firefox 38. What happens if you toggle this setting:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste rc4 and pause while the list is filtered

(3) Double-click the security.tls.unrestricted_rc4_fallback preference to switch it from the default value of false to true

You may need to clear cache before this takes effect on a server Firefox previously refused to connect to. See: How to clear the Firefox cache.

Hmm, that doesn't tell us anything new. If this is an old IIS server, it's possible that it only supports RC4 ciphers, which Firefox deprecated around the release of Firefox 38. What happens if you toggle this setting: (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste '''rc4''' and pause while the list is filtered (3) Double-click the '''security.tls.unrestricted_rc4_fallback''' preference to switch it from the default value of false to true You may need to clear cache before this takes effect on a server Firefox previously refused to connect to. See: [[How to clear the Firefox cache]].

Question owner

It was already set to "true" by default. All the rc4 options are true by default.

It was already set to "true" by default. All the rc4 options are true by default.
jscher2000
  • Top 10 Contributor
8706 solutions 71157 answers

dooley0008 said

It was already set to "true" by default. All the rc4 options are true by default.

Hmm, that setting might be unique to the ESR release. (It's normal for the others to be true by default.)

There were just so many changes between Firefox 24 and 38, which was quite a while ago, so I can't remember all the possible fixes. Here's one I found in a search that made Firefox 37 behave more like Firefox 36 with the combination of TLS 1.0 + RC4 cipher:

(1) Copy the host name of the server address. This is the part between the https:// protocol and the next / character, and not including either of those.

(2) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

(3) In the search box above the list, type or paste tls and pause while the list is filtered

(4) Double-click the security.tls.insecure_fallback_hosts preference to display a box where you can paste the copied host name. If you have something here already, add a comma at the end before pasting to separate the new host name from the previous name(s). Then click OK to save the change.

Then try reloading the site.

''dooley0008 [[#answer-844967|said]]'' <blockquote> It was already set to "true" by default. All the rc4 options are true by default. </blockquote> Hmm, that setting might be unique to the ESR release. (It's normal for the others to be true by default.) There were just so many changes between Firefox 24 and 38, which was quite a while ago, so I can't remember all the possible fixes. Here's one I found in a search that made Firefox 37 behave more like Firefox 36 with the combination of TLS 1.0 + RC4 cipher: (1) Copy the host name of the server address. This is the part ''between'' the https:// protocol and the next / character, and not including either of those. (2) In a new tab, type or paste '''about:config''' in the address bar and press Enter. Click the button promising to be careful. (3) In the search box above the list, type or paste '''tls''' and pause while the list is filtered (4) Double-click the '''security.tls.insecure_fallback_hosts''' preference to display a box where you can paste the copied host name. If you have something here already, add a comma at the end before pasting to separate the new host name from the previous name(s). Then click OK to save the change. Then try reloading the site.

Question owner

Same result

Same result

Question owner

Here are the tls options

Here are the tls options
cor-el
  • Top 10 Contributor
  • Moderator
17482 solutions 158023 answers

Does that server support TLS 1.0 and higher or only SSL3?

What does it say in "Tools > Page Info > Security" in Firefox 24?

The SSleuth works from Firefox 25 and later, so won't of much use either just like the Network Monitor.

Does that server support TLS 1.0 and higher or only SSL3? What does it say in "Tools > Page Info > Security" in Firefox 24? The SSleuth works from Firefox 25 and later, so won't of much use either just like the Network Monitor. * https://addons.mozilla.org/firefox/addon/ssleuth
cor-el
  • Top 10 Contributor
  • Moderator
17482 solutions 158023 answers

Does Google Chrome work on your operating system?

Does Google Chrome work on your operating system?