SSL Certificate problem!

Not always but sometimes when I try to open my website I get this error message as you can also see from the attachement:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I guess it is a problem with the SSL but I have no idea how to fix this.

Can you share your domain?

Have you enabled the DNSSEC option? If yes, make sure you copied the correct information!

There is a Community Tip for this error message. Community Tip - Fixing ERR SSL VERSION OR CIPHER MISMATCH in Google Chrome

Hardenize and SSLlabs tests look fine. I only see the precertificate in crt.sh, which might be an issue, but I’d expect a different message, and OCSP is working, so that might be nothing.

DNSSEC looks fine (it is not configured at all).

Just as an FYI, you are setting a HSTS header, but don’t have a redirect in place from HTTP to HTTPS. You can enable the “Always Use HTTPS” option on your Cloudflare dashboard to fix this.

3 Likes

The main problem seems to be on the sub-link “CNAME” I created, sometimes they work fine, some other time or with other browser it give me error, for example this is the link: https://link.offertespeciali.click/landing/dmc/supervapor/1/?ref=3327825a046f

I tried to force the https but still seems to give the same error.

“Your SSL/TLS encryption mode is Flexible” maybe u need setup this :shushing_face:

It is actually switched to “Complete”, I also tried to set up to “Complete Strict” but then it give me more errors

What web server are you running? Nginx or Apache?
Configuration for TLS version?

Use:

And:

Check for Certificate Name Mismatch
Check for Old TLS version
Check RC4 Cipher Suite

Try Clearing the SSL State On Your Computer - Just like clearing your browser’s cache:

  1. Click the Google Chrome – Settings icon (Settings) icon, and then click Settings.
  2. Click Show advanced settings.
  3. Under Network, click Change proxy settings. The Internet Properties dialog box appears.
  4. Click the Content tab.
  5. Click “Clear SSL state”, and then click OK.
  6. Restart Chrome.

Which Operating System are you running?
Have you tried to use a newer one or test on a mobile phone?

Have you tried to temporary disable Antivirus?

I am sorry that’s a bit too technical questions for me to being able to answer.

However, as I said what it is weird, is that sometimes it works straighaway and sometimes it doesn’t. In particular most of the time when my “CNAME link” doesn’t work, I can then access to my homepage,and once I am able to access to my home page then also the “CNAME link” then start working.

And overall, if this is a problem with my computer and setting it doesn’t worry me much, but if this is a problem with my website then I need to fix it because it will affect the users that will try to access to the page.

Hello, check the TLS configuration, if you defined TLS 1.3 and the browser does not support it, the connection will not be made, I leave a link to validate protocols.

Test your browser

How I can define a different TLS then? is this the option I can change in the screenshop I made? I had it set on completo (completed) before, I just switched to flessibile (Flexible) but it still give me problems.

Are you able to let me understeand the meaning of this screenshot?

@cacciatore.alberto2 - this is your SSL report from SSLLabs. In the table, you see individual reports for each returned Cloudflare IPv4 & 6. To get more insights on the grade (B), click the IP address link in the table. The reason why your site got a score B is that you have less secure TLS versions (1.0 & 1.1) enabled. Your default SSL is set to TLS (1.0). To improve your SSL grade, you can change it to TLS 1.2 under SSL/TLS > Certificati perimetro > Versione TLS minima.

@cacciatore.alberto2, you can change your TLS version under SSL/TLS > Certificati perimetro > Versione TLS minima.

Please note that if you want to change your SSL mode to something else (strict or full strict) other than Flexible, please make sure your origin server has a valid certificate.

1 Like

Thank you for your reply,

If I chante my TLS to 1.2, there is not the risk this will block access to my website from the user that does’t have that grade? Which honestly I have not idea if that could be many or just very few…

You should get a rough guide on the protocol usage from your dashboard (Analytics → Security → Traffic Served Over SSL). The vast majority of users currently support TLS v1.2, and you would probably know if you had particular requirements for legacy TLS. With a very diverse user base I see 75+% of traffic is using TLS v1.3.

1 Like

Things are getting worse, my website is not accessible anymore, and I cannot even access to the admin section with worldpress.
That page said to clean the cookies but once I did it it doesn’t work, also with different browser the same.

Amico, il mio consiglio è che se hai intenzione di modificare le configurazioni in cloudflare, studiarle in dettaglio, prima di apportare qualsiasi modifica, ti consiglio:

    1. Nel tuo caso ti suggerisco di completare, ricorda che il tuo certificato deve essere valido e supportato da Cloudflare

    1. Nel percorso: SSL / TLS, certificati perimetro, cercare l’opzione, versione minima di TLS. Seleziona TLS 1.0.

Con questa modifica, tutti i browser avranno accesso al server.

La conseguenza di questo cambiamento è la sicurezza nei protocolli di connessione.

Grazie per la spiegazione, in effetti ci sto capendo poco con queste configurazioni di cloudflare!
Come faccio a capire se il certificato e’ valido e supportato da Cloudflare? dove posso verificarlo?

In questo link puoi analizzare:

https://www.ssllabs.com/index.html

  1. Il server:
    Rivedi il certificato, i protocolli di connessione e dai una valutazione di sicurezza, la migliore è A. Se il tuo server accetta i protocolli TLS 1.0, 1.1 declassare la valutazione a B, è considerato non sicuro. Se configuri il tuo server su TLS 1.3 per risolvere questo problema di sicurezza, devi assicurarti che i browser dei tuoi client siano compatibili con questo protocollo, altrimenti non saranno in grado di connettersi al server.

  1. Il browser: per verificare se supporta il protocollo TLS 1.0, 1.1. 1.2 e 1.3.

This topic was automatically closed after 30 days. New replies are no longer allowed.