7

My clients are reporting this error. I cannot reproduce it. What's more, I cannot detect any flaws: http://www.digicert.com/ http://www.ssltest.net/ https://www.ssllabs.com/ssldb/ all report dev.anuary.com to have a valid cert. I've Google(ed) for ssl_error_no_cypher_overlap, but none of the threads provided any useful guidance.

Cannot communicate securely with peer: no common encryption algorithm(s)

(Error code: ssl_error_no_cypher_overlap)
Gajus
  • 851
  • 5
  • 16
  • 28

2 Answers2

3

As it turns out the issue was that:

Since version 1.0.5, nginx uses “ssl_protocols SSLv3 TLSv1” and “ssl_ciphers HIGH:!aNULL:!MD5” by default

(http://nginx.org/en/docs/http/configuring_https_servers.html#chains)

I've added the following to my settings and it works.

ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers          HIGH:!aNULL:!MD5;
Gajus
  • 851
  • 5
  • 16
  • 28
  • 3
    So, your clients were actually set (unusually) to use just TLSv1.1 and TLSv1.2? – cjc Apr 18 '12 at 18:04
2

So, I'm seeing this:

$ sslscan --no-failed dev.anuary.com
               _
       ___ ___| |___  ___ __ _ _ __
      / __/ __| / __|/ __/ _` | '_ \
      \__ \__ \ \__ \ (_| (_| | | | |
      |___/___/_|___/\___\__,_|_| |_|

              Version 1.8.2
         http://www.titania.co.uk
    Copyright Ian Ventura-Whiting 2009

Testing SSL server dev.anuary.com on port 443

  Supported Server Cipher(s):
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  RC4-SHA

  Prefered Server Cipher(s):
    TLSv1  128 bits  RC4-SHA

Is it possible the client can't do TLSv1?

cjc
  • 24,916
  • 3
  • 51
  • 70
  • This have been reported by people using Firefox 2.*, Firefox 3.6.* and IE 8. – Gajus Apr 18 '12 at 15:24
  • On IE8, I seem to be able to get to the 404, so the connection is successful in terms of SSL negotiation. If I go and turn off TLSv1 in Internet Options, I get a connection error. Is it possible the users have disabled TLSv1 for some reason? Are they behind some SSL appliance that might have disabled TLSv1? – cjc Apr 18 '12 at 15:32
  • FWIW, mail.google.com still supports SSLv3. Is there any reason you've limited yourself to TLSv1? – cjc Apr 18 '12 at 15:33
  • Is this something I set, or is it something that comes with my SSL cert and I cannot change? If it is the former, what settings should I change. – Gajus Apr 18 '12 at 17:38
  • On a side note, when I've checked my site using http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=dev.anuary.com&protocol=https it says `No connection upgrade to 128-bit for old browsers`. I wonder how to enable that. – Gajus Apr 18 '12 at 17:43
  • The TLSv1 vs. SSLv3 thing is not a property of the cert. That's nginx configuration. Can you update your question with the relevant SSL config for nginx? To specify the cipher protocols, you'd have a line somewhere like "ssl_protocols SSLv3 TLSv1;" and to specify the ciphers, you'd have something like "ssl_ciphers RC4:HIGH:!aNULL:!MD5;" Those two lines will disallow weak ciphers sufficiently to pass some level of security audit (I forget to which standard), actually. – cjc Apr 18 '12 at 17:57
  • The 128-bit thing, I get that on my site also, so I'm not sure if that's indicative. On the other hand, I'm not using old browsers, e.g., FF2. – cjc Apr 18 '12 at 18:01