Getting CIPHER MISMATCH on WinXP Chrome v49


#1

I am getting the ERR_SSL_VERSION_OR_CIPHER_MISMATCH when using Chrome v49 on windows XP when accessing via https, but other browsers such as firefox works fine.

I did not have this issue before migrating my DNS NS from godaddy to cloudflare.

After investigating further, I found that the problem arises only when put the traffic through cloudflare (orange cloud icon). The error do not occur if I use DNS only (grey cloud icon).

I have added below to my nginx settings but have determined the root cause is not at NGINX level, as soon as I enable cloudfront on the CNAME and A records, my site would get the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error irrespective of what I have on NGINX. It is not even getting as far as reaching my server.

ssl_prefer_server_ciphers on;
ssl_protocols SSLv2 SSLv3;
ssl_ciphers “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW +3DES 3DES !MD5 !EXP !PSK !SRP !DSS !RC4”;

I have also tried turning the SSL settings on “Full” and “Full strict” but still the same, issue not resolved.

From various sources I see that old cipher is not supported (see below) on old chrome browsers.
https://support.google.com/chrome/a/answer/6357171?hl=en

I then tested on browserstack with winXP and chrome (v38) and can replicate the issue, however I am wondering if anyone can tell me how to resolve this if I make use of cloudflare?

I see other sites using cloudflare doesn’t have this issue so perhaps it is something that I have not configured correctly?

Any help would be much appreciated!


#2

Cloudflare free certificates use SNI which can may be incompatible with older unsupported operating systems/browsers as you noted.


#3

Hi, but I am not using a free cloudflare certificate. I am using a fully authorised COMODO SSL (EssentialSSL Wildcard) certificate. Are you suggested to move to a paid SSL certificate by cloudflare to resolve this problem?


#4

When your record is proxied through Cloudflare (:orange:) then Cloudflare becomes an SSL termination endpoint. It needs to do this in order to provide DDoS mitigation and other security features included with the service. As such it serves an SSL certificate from our edge (and then makes an SSL connection to the origin server when/where needed).

So unless you’ve either purchased a certificate through Cloudflare or upgraded to a plan that allows you to upload your own, when proxied through Cloudflare you’re using our shared/universal SSL certificate. You can check/confirm this by viewing the certificate presented when the record is orange clouded and the error occurs.


#5

When my website is proxied through cloudflare(:orange:) , there is no certificate at all when the error occurs (see screenshots), so it’s not using the shared/universal SSL certificate as you suggested. When I am not proxy-ing through cloudflare, it is using the COMODO certificate. So in both instances I do not see it uses any of the cloudflare shared/universal certificates.

So do you mean the solution is to purchase a Dedicated SSL Certificate on cloudflare while also keep using the certificate I have issued by COMODO unchanged?


#6

Hello, I just purchased a dedicated edge cert and the issue is resolved now. I am now seeing cloudflare’s certificate as the root certificate on my primary domain, if this is the case, does this mean I do not need to continue using/renewing my previous COMDO cert?


#7

You don’t need to continue to renew it. You could instead place a Cloudflare Origin cert on your origin server (they are found on the crypto tab) but for the time being you can certainly keep using the one you have.


#8

Thank you.


#9

I tried to install a Origin Certificate Installation by choosing the first option (Let Cloudflare generate a private key and a CSR) - RSA type

In the next screen I copied the first key (origin certificate) and created .pem file. Then I copied the second key and created a .key file.

And then I restarted NGINX and got an error on the site :

But what I do not have, and not in the instruction, is a csr file.

Not sure what has gone wrong here, advice appreciated.


#10

So it would appear at this point you’re still going direct to origin, our origin cert is only trusted by our edge (by default) so if you orange cloud that record it should work seamlessly for visitors.