PDA

View Full Version : apache-mod_nss ERR_SSL_VERSION_OR_CIPHER_MISMATCH



ketter
10-Mar-2016, 18:06
Wanting to convert a server (SLES 11 SP4) from SSL to NSS. It works
perfectly with SSL. I installed mod_nss and enabled it. Disabled
ssl. Used the mod_nss_migrate.pl script for conversion. Checked the
new vhost nss conf file. Everything looks good. But when I try to
access the site from a browser, I get
ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

Any clues? I haven't figured out yet how to fix this.
Thanks,
Ken

ab
11-Mar-2016, 00:08
In any SSL/TLS handshake the client sends a list of supported ciphersuites
and then the server chooses one of those assuming one of those listed is
an option for the server. If not, you can get an error as you are seeing now.

I'd probably look at a LAN/wire trace to see what was offered. I'd
probably also try other clients to see if your current client is just too
old to work with newer TLS versions or ciphersuites.



echo | openssl s_client -connect server.ip.goes.here:443 -tls1 -showcerts
echo $?



--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

ketter
11-Mar-2016, 14:34
On Thu, 10 Mar 2016 23:08:04 GMT, ab <ab@no-mx.forums.microfocus.com>
wrote:

>In any SSL/TLS handshake the client sends a list of supported ciphersuites
>and then the server chooses one of those assuming one of those listed is
>an option for the server. If not, you can get an error as you are seeing now.
>
>I'd probably look at a LAN/wire trace to see what was offered. I'd
>probably also try other clients to see if your current client is just too
>old to work with newer TLS versions or ciphersuites.
>
>

>echo | openssl s_client -connect server.ip.goes.here:443 -tls1 -showcerts
>echo $?
>

Using Chrome 48, IE 11, Firefox 17. I got different errors on all
three. Double-checked my conf file and noticed that NSSNickName
referenced "Server-Cert" instead of my cert from Digicert. So I
changed it to read "NSSNickName secure.msktd.com-digicert" - which is
the correct cert. But now when I start Apache, I get this on the
screen:

Starting httpd2 (prefork) startproc: exit status of parent of
/usr/sbin/httpd2-prefork: 1 failed

But I don't see anything in the logs. Any ideas?

Ken

ketter
11-Mar-2016, 19:56
On Thu, 10 Mar 2016 23:08:04 GMT, ab <ab@no-mx.forums.microfocus.com>
wrote:

>In any SSL/TLS handshake the client sends a list of supported ciphersuites
>and then the server chooses one of those assuming one of those listed is
>an option for the server. If not, you can get an error as you are seeing now.
>
>I'd probably look at a LAN/wire trace to see what was offered. I'd
>probably also try other clients to see if your current client is just too
>old to work with newer TLS versions or ciphersuites.
>
>

>echo | openssl s_client -connect server.ip.goes.here:443 -tls1 -showcerts
>echo $?
>

I missed the obvious right in front of me. All ciphers in the
NSSCipherSuite setting were disabled by default.

Ken

ab
12-Mar-2016, 06:02
On 03/11/2016 11:56 AM, KeN Etter wrote:
>
> I missed the obvious right in front of me. All ciphers in the
> NSSCipherSuite setting were disabled by default.

Well that explains things. Thank-you for posting back your results, as
that will likely help others.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...