11/30/2021

Ssl_error_no_cypher_overlap Tomcat

downloadWhy can't I download this file?

Applicable Products

  • NetScaler

Symptoms or Error

Recently, we made changes to certain virtual servers to only use TLS v1.2 & the ~12 ciphers available. This was to ensure we no longer used insecure ciphers.
Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

See below for state of CS Vserver:
> show ssl vserver cpa_corp_web_prod_INTERNAL_https_csvip
Advanced SSL configuration for VServer cpa_corp_web_prod_INTERNAL_https_csvip:
DH: DISABLED
Ephemeral RSA: ENABLED Refresh Count: 0

Ssl_error_no_cypher_overlap Tomcat Video


Session Reuse: ENABLED Timeout: 120 seconds
Cipher Redirect: DISABLED
Ssl_error_no_cypher_overlapSSLv2 Redirect: DISABLED
ClearText Port: 0
Client Auth: DISABLED
SSL Redirect: DISABLED
Non FIPS Ciphers: DISABLED Ssl_error_no_cypher_overlap Tomcat
SNI: DISABLED
SSLv2: DISABLED SSLv3: DISABLED TLSv1.0: DISABLED TLSv1.1: DISABLED TLSv1.2: ENABLED
Push Encryption Trigger: Always
Send Close-Notify: YES
1) CertKey Name: CPA-Wildcard-sha256 Server Certificate
1) Cipher Name: TLS1.2-AES128-GCM-SHA256
Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(128) Mac=SHA-256
2) Cipher Name: TLS1.2-AES256-GCM-SHA384
Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(256) Mac=SHA-384
3) Cipher Name: TLS1.2-DHE-RSA-AES128-GCM-SHA256
Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(128) Mac=SHA-256
4) Cipher Name: TLS1.2-DHE-RSA-AES256-GCM-SHA384
Ssl_error_no_cypher_overlap tomcat 8Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(256) Mac=SHA-384
5) Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(128) Mac=SHA-256
6) Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(256) Mac=SHA-384 Ssl_error_no_cypher_overlap tomcat download
7) Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256
Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(128) Mac=SHA-256
8) Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384
Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA-384
9) Cipher Name: TLS1.2-DHE-RSA-AES-128-SHA256
Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA-256
10) Cipher Name: TLS1.2-DHE-RSA-AES-256-SHA256
Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA-256
Done
>
Problem is, since making that change, we noticed that some browsers were no able to connect to our website securely. Firefox error is below:
An error occurred during a connection to www.example.com.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
We have since reversed the change so that users are no longer affected, but we can troubleshoot/test this with other virtual servers in our environment.
I need to know why this was happening and find a fix please.
We are running NS10.5 57.7.nc

Solution

Asked customer to bind ECC curve with SSL Vserver in question
bind ssl vserver cpa_corp_web_staging_https_csvip -eccCurveName P_256
bind ssl vserver cpa_corp_web_staging_https_csvip -eccCurveName P_384
bind ssl vserver cpa_corp_web_staging_https_csvip -eccCurveName P_224
bind ssl vserver cpa_corp_web_staging_https_csvip -eccCurveName P_521
bind ssl vserver cpa_corp_web_staging_mvc_https_lbvip -eccCurveName P_256
bind ssl vserver cpa_corp_web_staging_mvc_https_lbvip -eccCurveName P_384
bind ssl vserver cpa_corp_web_staging_mvc_https_lbvip -eccCurveName P_224
bind ssl vserver cpa_corp_web_staging_mvc_https_lbvip -eccCurveName P_521

Problem Cause

Mozilla is sending ECDHE Ciphers in Client Hello.
ECDHE cipher suites use elliptical curve cryptography (ECC).
however the CS VIP doesn't have ECC curves binded with CS VIP.
This issue was seen because netscaler was upgraded from a code prior to 10.1.
And if there are any SSL Vserver existing in configuration prior to upgrade, post upgrade NS cannot automatically bind ECC Curves with them.
In that case one must explicitly bind ECC curves to the existing SSL virtual servers or front end services.
The curves are bound by default to any virtual servers or front end services that you create after the upgrade, but not the one's which have been existing.

When trying to access 2 links, that I work with on a daily basis and have done so for the last 2 years, facing the SSL_ERROR_NO_CYPHER_OVERLAP error and not able to access the pages because of Secure Connection Failure.

Have had this issue in the past, but was able to bypass it by clicking on 'Advanced' button in order to add Exception.

Problem is that since 2 days ago, error started coming up but 'Advanced' button is no longer appearing as an option. So, not able to bypass it in order to connect with the pages.

Ssl_error_no_cypher_overlap Tomcat Download

Thx for the help!