SSL_ERROR_NO_CYPHER_OVERLAP issue with my domain

Hello,
I have SSL_ERROR_NO_CYPHER_OVERLAP or similar in all browsers.
My website is protected by Cloudflare for more then year. On Jun 11th something happened with Cloudflare SSL certificate exposed to clients / visitors so clients can not connect. I have search engines issues too (some pages were deleted from search results and it’s critical).
The origin has valid Let’s Encrypt certificate. The protection is full (strict). I did not changed any settings

  • Trying 104.21.41.117…
  • TCP_NODELAY set
  • Connected to **** (104.21.41.117) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.0 (IN), TLS header, Unknown (21):
  • TLSv1.0 (IN), TLS alert, Server hello (2):
  • error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
  • Curl_http_done: called premature == 1
  • stopped the pause stream!
  • Closing connection 0
    curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

(curl + debug)
This is same for all subdomains. Could somebody please help?

what’s the domain?

in Edge Certificates, do you have an active Universal SSL certificate?

have you turned off Universal SSL and turned it back on?

1 Like

csupdate.*ru (remove *)
It iw posinted to Cloudflare nameservers for few years and Cloudflare is known for its stability, but now the number of visits dropped to zeto due to wrong certificate installed…

Edge certificates - no certificates

I think there’s still a Digicert embargo on .RU currently

take a look at Univesal SSL renewal is broken - #4 by KianNH & some other threads

you can either grey-cloud the DNS entry to bypass Cloudflare or I think there’s a workaround using the API to request someone other than Digicert handle the certificate

I’m trying to find the thread with the API workaround but haven’t found it yet, it’s on here somewhere though

I checked the API documentation and I see how to change the certificate issuer for Advanced Certificate Manager certificates (a premium service) but not for Universal SSL.

There might or might not actually be a workaround for Universal SSL

so best option might be to just grey-cloud the DNS entry until the situation changes

I wasn’t able to find “disable Universal SSL” button, but now I’ve found it. The status “pending validation (txt)” was for about 5 minutes abd now the certificate is issued. Curl check passes. I hope search engines will restore deleted pages in the search results soon.

If the issue is global, is there any possibility to track certificate update errors and trigger some actions or at least notifu users about the problem and recommended manual actions inside the mail?

P.S. I’ve expected the new Lets Encrypt certificate will work in old web browsers (e.g. Chrome on Windows XP) but unfortunately, there is same ERR_SSL_VERSION_OR_CIPHER_MISMATCH error as when another certificate issuer was used.

P.S.2 unfortunately, I can not find Edit post button here…
Thank you.

Your new certificate looks fine to me, browsers that tried to connect previously might need to be restarted or cache cleared.

Seems like you already have your minimum TLS version set to 1.0 which should give you very broad support for old browsers (at the expense of security)

more info on your certificate & browser compatibility here: SSL Server Test: csupdate.ru (Powered by Qualys SSL Labs)

in fact just about all browsers should be supported except really ancient ones without SNI support Server Name Indication | Can I use... Support tables for HTML5, CSS3, etc

personally I don’t care about the ancient browsers much so I use minimum TLS 1.2 (supported by 97% of browsers) and once IE is officially dead I might even go 1.3-only

Honestly I never care about IE, it is the pre-installed browser that must be used for only 1 purpose - download other browser.
But handshake_failure for Google Chrome in Windows XP SP3 is the only reason why I can not enable full redirect of HTTP to HTTPS, there are still many users of old PCs who can not update browser due to technical reasons. There is another protection named Ddos-guard (russian-based), it had free plan (VERY limited compared to Cloudflare’s) and they disabled that free plan recently. They obtain Lets Encrypt certificates at the “proxy” server for your domain and it works in all old browsers. I don’t know how they managed it to work, but I believe Cloudflare will be perfect if they will fix this handshake_failure error.

Thank you for help, now it works. The solution is to disable Universal SSL and re-enable it manually.

I think I have shared certificate issued to Cloudflare SNI (free plan). Thank you for the link but I see no solution there. Does it mean if the certificate expired during this month my website will stop work without any prior notice rather then showing typical “certificate expired” or “your clock is wrong” with skip button? That’s stupid. Digicert are stupid if they broke the whole TLD instead of banning payments from one specific country (exactly Visa / Mastercard / Swift already did it). I’m not russian citizen but I use .ru TLD because $3.5 is a good price for domain rather then overpriced .com .net etc.