Hello, Hope all is well. We’re getting a ssl/ tls handshake error, causing our site, https://aibverify.com/, to have accessibility issues from various ISPs. image.png Below are more details curl -v https://aibverify.com/ Trying 2606:4700:3033::ac43:dd2f:443… Connected to aibverify.com (2606:4700:3033::ac43:dd2f) port 443 (#0) ALPN, offering h2 ALPN, offering http/1.1 successfully set certificate verify locations: CAfile: /etc/ssl/cert.pem CApath: none (304) (OUT), TLS handshake, Client hello (1): error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version Closing connection 0 curl: (35) error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version Thanks and let us know. Regards, The AIB Team
Was the site working with SSL prior to adding it to Cloudflare?
I cannot replicate the cipher mismatch error message. SIte loads fine for me. Can you try from incognito mode and/or different browser?
The error “ERR_SSL_VERSION_OR_CIPHER_MISMATCH"" in Google Chrome prevents access to the site because it detects an issue with creating a valid connection to your site. This may be a temporary issue, and should resolve itself within 24 hours. If not, grey-cloud/deactivate Cloudflare so that the website uses the origin’s SSL certificate, see How do I temporarily deactivate Cloudflare? Activate Cloudflare again in 24 hours and try to access your website to see if the SSL certificate has been successfully deployed.
Other successful troubleshooting suggestions and more details about the error can be found in this Community Tip. Let us know if you continue to see issues after trying these tips, we’re happy to help further.
So the issue isn’t that the certificate isn’t deployed, it’s that the certificate is misconfigured. We have the free plan right now so we can’t request a new one, but since this is an issue on cloudflare’s end would be hopeful that you can create a new one for us.
It’s not an issue with our content, since we tried it with a basic html page. It’s the actual domain certificate which isn’t working.
It works on some systems, but it doesn’t on others. Its a certificate issue.
We just tried it on a different domain and it worked:
openssl s_client -connect dealerhedge.com:443 -servername …
CONNECTED(00000005)
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R4
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WE1
verify return:1
…
we’ve disabled / reenabled universal ssl, changed the ssl/tls encryption mode to flexible, off, full, etc., removed all dns records and readded them, removed the domain from cloudflare and readded it (as well as paused it), and purged cache. the error is still occuring for some systems yet when a new domain was added and tested with the same settings it worked fine (edited)
[5:17 PM]
perhaps revalidating the domain would work? when I used the other domain it worked shortly after the nameservers were added and the edge certificate status switched from pending validation to active. I’m unable to trigger a revalidation here when disabling / reenabling universal ssl that removes/adds the certificate (managed by cloudflare)
As we said it works for some people it doesn’t for others. This is the issue and is not specific to our site alone. We’ve seen similar SSL certificate issues on other sites.
it seems to be a validation issue for some systems. the ciphers arent communicating correctly so it’s giving a handshake error.
If you have access to systems that are consistently having issues making a successful connection, it might be worth trying to identify any commonalities. There isn’t going to be much anyone in the Community can offer, since no one here has been able to reproduce your symptoms.
We’re confident it’s an issue with our certificate, as we tested it out with a different domain name (which we now tookk off from cloudflare after testing) and the certificate worked fine. It’s definitely an issue with our existing domain aibverify.com
Can you either provide us with a new certificate or revalidate our domain?
It has been repeatedly demonstrated that your certificate is fine. Any errors you are encountering are, by your own admission, limited to specific clients, which means the problem is not caused the certificate, but rather by the client. Without the ability to reproduce the symptoms you describe, there is nothing anyone can do to help you here.
Maybe someone else will have another perspective, but I’m out of suggestions for you.
I sincerely appreciate your assistance trying to help us through this issue. We’ve been attempting to fix this for well over 2 weeks and visited right about every forum and community with little luck. This issue stops a lot of traffic on our site.
We’re confident the certificate is the issue. It sucks that in your specific case your ISP and device allows you to access the site so you’re not getting the error, but this isn’t the case for majority of users. Even though you say the certificate is not the issue, we’d really appreciate if you can provide us with a one time new certificate or revalidate our domain.
You’d be saving us a lot of pain and trouble, because if that too does not work, we can switch services from Cloudflare. We have spent countless hours trying to fix this issue.