1

I have an ASP.NET application deployed in IIS on Windows Server 2012 R2, with an HTTPS binding configured. The SSL certificate is valid and up-to-date.

When connecting to the web site from multiple Windows 7 and Windows 10 clients with Chrome and Firefox, I always get

  • ERR_SSL_VERSION_OR_CIPHER_MISMATCH on Chrome (version 67.0.3396.99)
  • SSL_ERROR_NO_CYPHER_OVERLAP in Firefox (version 60.0.2)

... but it works like a charm on Internet Explorer and Edge!

There is no custom configuration on the server relating to SSL (SSL Cipher Suite Order: Not Configured).

Inspection with Wireshark reveals this:

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure).

Any idea?

Mathieu Renda
  • 111
  • 1
  • 2
  • Give the website name if you want people to help. Otherwise test it yourself here: https://www.ssllabs.com/ssltest/ – Patrick Mevzek Jun 26 '18 at 16:41
  • "It works like a charm on IE and Edge" is almost useless. Microsoft web browsers do not enforce a few latest measures to protect its users like Firefox or Chrome. Like others suggested, use some common troubleshooting tools and they should tell you what extra changes you have to make. – Lex Li Jun 26 '18 at 19:49
  • In my specific case, it was something related to CloudFlare's DNS. I had set CloudFlare as the proxy of my DNS records, and it was causing all sorts of problems (infinite SSL redirects, cypher mismatches, etc.). I simply disabled CloudFlare as proxy, and everything got solved. – Saeed Neamati May 09 '20 at 10:27

1 Answers1

2

Test your site on https://www.ssllabs.com/ssltest/. See what the handshake tests say

Use IISCrypto to tune your server removing the older weak protocols (SSL 2, SSL 3, TLS 1.0), make sure that current protocols are supported (TLS 1.2)

Remove the ciphers that are listed weak (RC2, RC4, 3DES, ect) and make sure current ciphers are supported (AES 128/256)

Mass Nerder
  • 1,007
  • 5
  • 6