Firefox Troubleshooting
Error Codes
Error Codes
SSL_ERROR_NO_CYPHER_OVERLAP
This is the same as ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Chrome or EdgeSSL_ERROR_NO_CYPHER_OVERLAP
"Cannot communicate securely with peer: no common encryption algorithm(s). The local and remote systems share no cipher suites in common. This can be due to a misconfiguration at either end. It can be due to a server being misconfigured to use a non-RSA certificate with the RSA key exchange algorithm." (1)
Here's the output of sslscan for a website that was throwing this error...
sslscan thestudiopiercing.co.uk
Version: 2.0.7OpenSSL 3.0.2 15 Mar 2022
Connected to 81.130.111.239
Testing SSL server thestudiopiercing.co.uk on port 443 using SNI name thestudiopiercing.co.uk
SSL/TLS Protocols:SSLv2 disabledSSLv3 disabledTLSv1.0 disabledTLSv1.1 disabledTLSv1.2 disabledTLSv1.3 disabled
TLS Fallback SCSV:Connection failed - unable to determine TLS Fallback SCSV support
TLS renegotiation:Session renegotiation not supported
TLS Compression:OpenSSL version does not support compressionRebuild with zlib1g-dev package for zlib support
Heartbleed:
Supported Server Cipher(s):Certificate information cannot be retrieved.
Connected to 81.130.111.239
Testing SSL server thestudiopiercing.co.uk on port 443 using SNI name thestudiopiercing.co.uk
SSL/TLS Protocols:SSLv2 disabledSSLv3 disabledTLSv1.0 disabledTLSv1.1 disabledTLSv1.2 disabledTLSv1.3 disabled
TLS Fallback SCSV:Connection failed - unable to determine TLS Fallback SCSV support
TLS renegotiation:Session renegotiation not supported
TLS Compression:OpenSSL version does not support compressionRebuild with zlib1g-dev package for zlib support
Heartbleed:
Supported Server Cipher(s):Certificate information cannot be retrieved.
Here's the output for a site that was working...
sslscan superuser.com
Version: 2.0.7OpenSSL 3.0.2 15 Mar 2022
Connected to 151.101.129.69
Testing SSL server superuser.com on port 443 using SNI name superuser.com
SSL/TLS Protocols:SSLv2 disabledSSLv3 disabledTLSv1.0 disabledTLSv1.1 disabledTLSv1.2 enabledTLSv1.3 disabled
TLS Fallback SCSV:Server supports TLS Fallback SCSV
TLS renegotiation:Session renegotiation not supported
TLS Compression:OpenSSL version does not support compressionRebuild with zlib1g-dev package for zlib support
Heartbleed:TLSv1.2 not vulnerable to heartbleed
Supported Server Cipher(s):Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve 25519 DHE 253Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 256 bits AES256-SHA
Server Key Exchange Group(s):TLSv1.2 128 bits secp256r1 (NIST P-256)TLSv1.2 192 bits secp384r1 (NIST P-384)TLSv1.2 260 bits secp521r1 (NIST P-521)TLSv1.2 128 bits x25519TLSv1.2 224 bits x448
SSL Certificate:Signature Algorithm: sha256WithRSAEncryptionRSA Key Strength: 2048
Subject: *.stackexchange.comAltnames: DNS:*.askubuntu.com, DNS:*.blogoverflow.com, DNS:*.mathoverflow.net, DNS:*.meta.stackexchange.com, DNS:*.meta.stackoverflow.com, DNS:*.serverfault.com, DNS:*.sstatic.net, DNS:*.stackexchange.com, DNS:*.stackoverflow.com, DNS:*.stackoverflow.email, DNS:*.stackoverflowteams.com, DNS:*.superuser.com, DNS:askubuntu.com, DNS:blogoverflow.com, DNS:mathoverflow.net, DNS:openid.stackauth.com, DNS:serverfault.com, DNS:sstatic.net, DNS:stackapps.com, DNS:stackauth.com, DNS:stackexchange.com, DNS:stackoverflow.blog, DNS:stackoverflow.com, DNS:stackoverflow.email, DNS:stackoverflowteams.com, DNS:stacksnippets.net, DNS:superuser.comIssuer: R3
Not valid before: Feb 13 13:16:03 2023 GMTNot valid after: May 14 13:16:02 2023 GMT
Connected to 151.101.129.69
Testing SSL server superuser.com on port 443 using SNI name superuser.com
SSL/TLS Protocols:SSLv2 disabledSSLv3 disabledTLSv1.0 disabledTLSv1.1 disabledTLSv1.2 enabledTLSv1.3 disabled
TLS Fallback SCSV:Server supports TLS Fallback SCSV
TLS renegotiation:Session renegotiation not supported
TLS Compression:OpenSSL version does not support compressionRebuild with zlib1g-dev package for zlib support
Heartbleed:TLSv1.2 not vulnerable to heartbleed
Supported Server Cipher(s):Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve 25519 DHE 253Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 256 bits AES256-SHA
Server Key Exchange Group(s):TLSv1.2 128 bits secp256r1 (NIST P-256)TLSv1.2 192 bits secp384r1 (NIST P-384)TLSv1.2 260 bits secp521r1 (NIST P-521)TLSv1.2 128 bits x25519TLSv1.2 224 bits x448
SSL Certificate:Signature Algorithm: sha256WithRSAEncryptionRSA Key Strength: 2048
Subject: *.stackexchange.comAltnames: DNS:*.askubuntu.com, DNS:*.blogoverflow.com, DNS:*.mathoverflow.net, DNS:*.meta.stackexchange.com, DNS:*.meta.stackoverflow.com, DNS:*.serverfault.com, DNS:*.sstatic.net, DNS:*.stackexchange.com, DNS:*.stackoverflow.com, DNS:*.stackoverflow.email, DNS:*.stackoverflowteams.com, DNS:*.superuser.com, DNS:askubuntu.com, DNS:blogoverflow.com, DNS:mathoverflow.net, DNS:openid.stackauth.com, DNS:serverfault.com, DNS:sstatic.net, DNS:stackapps.com, DNS:stackauth.com, DNS:stackexchange.com, DNS:stackoverflow.blog, DNS:stackoverflow.com, DNS:stackoverflow.email, DNS:stackoverflowteams.com, DNS:stacksnippets.net, DNS:superuser.comIssuer: R3
Not valid before: Feb 13 13:16:03 2023 GMTNot valid after: May 14 13:16:02 2023 GMT
The first problem here seems to be that an SSL connection is made based on the client listing available ciphers and the server picking one. If there is no match then we can't make the connection to see which ciphers the server supports. One workaround for this is to use the SSL Labs Server Test to retrieve the list of available ciphers.
Let's see which ciphers our client has...
openssl ciphers -s -stdname
TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEADTLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEADTLS_AES_128_GCM_SHA256 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEADTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEADTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEADTLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEADTLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEADTLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEADTLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEADTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEADTLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEADTLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEADTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1TLS_DHE_RSA_WITH_AES_256_CBC_SHA - DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1TLS_DHE_RSA_WITH_AES_128_CBC_SHA - DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1TLS_RSA_WITH_AES_256_GCM_SHA384 - AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEADTLS_RSA_WITH_AES_128_GCM_SHA256 - AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEADTLS_RSA_WITH_AES_256_CBC_SHA256 - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256TLS_RSA_WITH_AES_128_CBC_SHA256 - AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256TLS_RSA_WITH_AES_256_CBC_SHA - AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1TLS_RSA_WITH_AES_128_CBC_SHA - AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
So, the issue would appear not to be with the ciphers available... so why do browser connections and sslscan fail?
In this case the site was blocked by plusnet Safeguard (although I have no explanation why it caused this error rather than the standard "blocked by Safeguard" message).
Bibliography
Bibliography
SSL_ERROR_NO_CYPHER_OVERLAPhttps://support.mozilla.org/en-US/kb/secure-connection-failed-firefox-did-not-connect(1) https://firefox-source-docs.mozilla.org/security/nss/legacy/ssl_functions/sslerr/index.htmlhttps://community.plus.net/t5/Everything-else/quot-No-cypher-overlap-error-quot-in-web-browser/td-p/1829294