Nginx error: "No shared cipher". But there are

Question

My Nginx server has an SSL certificate that looks really good and works in most browsers perfectly. The server is https://live.evmote.com . You can "hit" the server by going to https://live.evmote.com/primus . The SSL Cert check is here: https://www.ssllabs.com/ssltest/analyze.html?d=live.evmote.com

So far, so good. The problem is specifically on the Tesla Model S browser (the in-car browser). It gives a "Bad certificate" error. The Tesla browser is notoriously bad and has incomplete support. There's no way to view the cert chain or debug the problem from the Tesla. It's more like an appliance than a computer. Here's the SSL support from within the Tesla: https://i.stack.imgur.com/Oqk47.jpg

On the Nginx server, I'm getting this error in the log: SSL3_GET_CLIENT_HELLO:no shared cipher

Now, clearly from the Tesla SSL report and the server report, there are shared ciphers. I would expect that they would handshake on this one: TLS_RSA_WITH_AES_256_CBC_SHA (0x35)

I'm not sure how to troubleshoot from here.

Thanks, Ryan

I agree, this should work with TLS_RSA_WITH_AES_256_CBC_SHA (0x35). I would think this could be a bug in the browser - have you tried to contact the vendor? — henrikstroem, Nov 19 '15 at 16:35

score 3 · Accepted Answer · answered Nov 20 '15 at 06:48

3

The error message might be misleading. What's definitely a problem is that the browser does not support SNI, but your web site requires it. At least it only serves the valid certificate (for live.evmote.com) for SNI capable browsers, all the others get a self-signed wildcard certificate which will not be accepted by a browser doing proper certificate validation.

answered Nov 20 '15 at 06:48

Steffen Ullrich

114,247
10
131
172

This was the problem. I attached the website to an ip address to resolve it. Thank you! – rsteckler Nov 20 '15 at 17:26

ursa · Answer 2 · 2021-07-08T08:55:15.097

We've hit similar problem from the Java client. The root cause was explicitly set protocols in SSL context (io.netty.handler.ssl.SslContext):

val ctx = io.netty.handler.ssl.SslContextBuilder.forClient()
    ...
    .protocols("SSLv2Hello,TLSv1.2,TLSv1.3".split(","))
    .build()

And precisely SSLv2Hello, that should be neither declared nor used here.

Unfortunately, we can't control all our clients. So further investigation showed this problem has appeared after OpenSSL upgrade to 1.1.*.

Once we downgraded OpenSSL to 1.0.* it do the trick. Nginx 1.18.0 + OpenSSL 1.0.2u could handle handshakes with SSLv2Hello without errors and with the highest protocol possible.

Nginx error: "No shared cipher". But there are

2 Answers2