为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Getting SSL_ERROR_NO_CYPHER_OVERLAP when attempting a site with a self-signed certificate

  • 21 个回答
  • 54 人有此问题
  • 1 次查看
  • 最后回复者为 gshonle

more options

I'm developing a web app. Currently, I'm using a self-signed certificate (getting it properly signed comes later).

When I have the web server set so that it only accepts TLS1.1 and TLS1.2, I'm getting a SSL_ERROR_NO_CYPHER_OVERLAP error. And, of course, trying the 'use outdated security' link doesn't work, since the web server won't allow those connections.

If I temporarily allow insecure connections on the web server, Firefox will then allow me to accept the cert. After the cert is accepted, Firefox can then connect over only TLS1.1 and TLS1.2. So, most of the time, Firefox can find a common cypher for TLS1.1/1.2 connections.

(The web server is on an Ubuntu kernel, with OpenSSL1.0.1f.)

I'm developing a web app. Currently, I'm using a self-signed certificate (getting it properly signed comes later). When I have the web server set so that it only accepts TLS1.1 and TLS1.2, I'm getting a SSL_ERROR_NO_CYPHER_OVERLAP error. And, of course, trying the 'use outdated security' link doesn't work, since the web server won't allow those connections. If I temporarily allow insecure connections on the web server, Firefox will then allow me to accept the cert. After the cert is accepted, Firefox can then connect over only TLS1.1 and TLS1.2. So, most of the time, Firefox can find a common cypher for TLS1.1/1.2 connections. (The web server is on an Ubuntu kernel, with OpenSSL1.0.1f.)

被采纳的解决方案

I finally figured out what is going on.

The fix is really in configuring OpenSSL; however, since Firefox is the browser that most readily displays the problem, I'm going to post the answer here.

[NOTE: if you get this error on Firefox, and you're not in control of the web site you visit, you'll need to send an e-mail to the web site administrator, with the error you're getting]

Anyway, at issue is the separation in OpenSSL of the protocols supported vs. the cipher list.

In an app using OpenSSL, if you're using anything older than OpenSSL 1.1.0, you'll need to disable any protocol older than TLSv1. Do this with:

SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

(Note that recent versions of OpenSSL before version 1.1.0 have SSLv2 turned off by default, but it doesn't hurt to explicitly disable it with this call. Also note that if you disable TLSv1 [i.e. add ' | SSL_OP_NO_TLSv1' to the above call], you'll break compatibility with some apps that make HTTPS calls; for example Firefox appears to use TLSv1 to do the certificate exchange, before going to stronger protocols for the session).

The key to understanding the SSL_NO_CYPHER_OVERLAP error is that TLSv1 only uses SSLv3 ciphers.

So, I was running into this issue because when I disabled SSLv3, I was also disabling the SSLv3 ciphers. To set the OpenSSL ciphers, use something like:

SSL_CTL_set_cipher_list(ctx, "TLSv1.2:TLSv1:SSLv3:!SSLv2:HIGH:!MEDIUM:!LOW");

If you use instead (as I was originally using):

SSL_CTL_set_cipher_list(ctx, "TLSv1.2:TLSv1:!SSLv3:!SSLv2:HIGH:!MEDIUM:!LOW");

You'll effectively disable TLSv1, since there are no TLSv1-specific ciphers (at least in OpenSSL), and with the SSLv3 ciphers disabled, it isn't possible to establish a TLSv1 connection.

With SSLv3 disabled, but the TLSv1/SSLv3 ciphers enabled, Firefox is able to get the certificates. After this, I see that Firefox then establishes a TLSv1.2 connection.

Most of the above solution is not needed for OpenSSL 1.1.0, since that has no support for SSLv3 at all.

定位到答案原位置 👍 4

所有回复 (1)

more options

选择的解决方案

I finally figured out what is going on.

The fix is really in configuring OpenSSL; however, since Firefox is the browser that most readily displays the problem, I'm going to post the answer here.

[NOTE: if you get this error on Firefox, and you're not in control of the web site you visit, you'll need to send an e-mail to the web site administrator, with the error you're getting]

Anyway, at issue is the separation in OpenSSL of the protocols supported vs. the cipher list.

In an app using OpenSSL, if you're using anything older than OpenSSL 1.1.0, you'll need to disable any protocol older than TLSv1. Do this with:

SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

(Note that recent versions of OpenSSL before version 1.1.0 have SSLv2 turned off by default, but it doesn't hurt to explicitly disable it with this call. Also note that if you disable TLSv1 [i.e. add ' | SSL_OP_NO_TLSv1' to the above call], you'll break compatibility with some apps that make HTTPS calls; for example Firefox appears to use TLSv1 to do the certificate exchange, before going to stronger protocols for the session).

The key to understanding the SSL_NO_CYPHER_OVERLAP error is that TLSv1 only uses SSLv3 ciphers.

So, I was running into this issue because when I disabled SSLv3, I was also disabling the SSLv3 ciphers. To set the OpenSSL ciphers, use something like:

SSL_CTL_set_cipher_list(ctx, "TLSv1.2:TLSv1:SSLv3:!SSLv2:HIGH:!MEDIUM:!LOW");

If you use instead (as I was originally using):

SSL_CTL_set_cipher_list(ctx, "TLSv1.2:TLSv1:!SSLv3:!SSLv2:HIGH:!MEDIUM:!LOW");

You'll effectively disable TLSv1, since there are no TLSv1-specific ciphers (at least in OpenSSL), and with the SSLv3 ciphers disabled, it isn't possible to establish a TLSv1 connection.

With SSLv3 disabled, but the TLSv1/SSLv3 ciphers enabled, Firefox is able to get the certificates. After this, I see that Firefox then establishes a TLSv1.2 connection.

Most of the above solution is not needed for OpenSSL 1.1.0, since that has no support for SSLv3 at all.

由gshonle于修改

  1. 1
  2. 2