Ssl/ tls handshake error

What is the name of the domain?

aibverify.com

What is the issue you’re encountering

Hello, Hope all is well. We’re getting a ssl/ tls handshake error, causing our site, https://aibverify.com/, to have accessibility issues from various ISPs. image.png Below are more details curl -v https://aibverify.com/ Trying 2606:4700:3033::ac43:dd2f:443… Connected to aibverify.com (2606:4700:3033::ac43:dd2f) port 443 (#0) ALPN, offering h2 ALPN, offering http/1.1 successfully set certificate verify locations: CAfile: /etc/ssl/cert.pem CApath: none (304) (OUT), TLS handshake, Client hello (1): error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version Closing connection 0 curl: (35) error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version Thanks and let us know. Regards, The AIB Team

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

Screenshot of the error

I cannot replicate the cipher mismatch error message. SIte loads fine for me. Can you try from incognito mode and/or different browser?

The error “ERR_SSL_VERSION_OR_CIPHER_MISMATCH"" in Google Chrome prevents access to the site because it detects an issue with creating a valid connection to your site. This may be a temporary issue, and should resolve itself within 24 hours. If not, grey-cloud/deactivate Cloudflare so that the website uses the origin’s SSL certificate, see How do I temporarily deactivate Cloudflare? Activate Cloudflare again in 24 hours and try to access your website to see if the SSL certificate has been successfully deployed.
Other successful troubleshooting suggestions and more details about the error can be found in this Community Tip. Let us know if you continue to see issues after trying these tips, we’re happy to help further.

1 Like

So the issue isn’t that the certificate isn’t deployed, it’s that the certificate is misconfigured. We have the free plan right now so we can’t request a new one, but since this is an issue on cloudflare’s end would be hopeful that you can create a new one for us.

It’s not an issue with our content, since we tried it with a basic html page. It’s the actual domain certificate which isn’t working.

HTTPS connections to your proxied site from the public internet are completing successfully. You can see details in this report.

https://cf.sjr.org.uk/tools/check?437329b24ca942608a14efbbf69996c0#connection-server-https

What happens when you pause Cloudflare or switch the hostname to :grey: DNS Only?

1 Like

It works on some systems, but it doesn’t on others. Its a certificate issue.

We just tried it on a different domain and it worked:

openssl s_client -connect dealerhedge.com:443 -servername …
CONNECTED(00000005)
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R4
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WE1
verify return:1

Certificate chain
0 s:/CN=dealerhedge.com
i:/C=US/O=Google Trust Services/CN=WE1…

On our domain:

openssl s_client -connect aibverify.com:443 -servername aibverify.com
CONNECTED(00000005)

no peer certificate available

No client certificate CA names sent

When I make the same test, I am sent a Let’s Encrypt certificate.

openssl s_client -connect aibverify.com:443 -servername aibverify.com                                                                                                                         13:01:50 [33/33]
CONNECTED(00000003)                                                                                                  
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1                                              
verify return:1                                                                                                      
depth=1 C = US, O = Let's Encrypt, CN = R11                                                                          
verify return:1                                                                                                      
depth=0 CN = aibverify.com                                                                                           
verify return:1                                                                                                      
---                                                                                                                  
Certificate chain                                                                                                    
 0 s:CN = aibverify.com                                                                                              
   i:C = US, O = Let's Encrypt, CN = R11                                                                             
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256                                                             
   v:NotBefore: Oct  7 01:41:10 2024 GMT; NotAfter: Jan  5 01:41:09 2025 GMT                                         
 1 s:C = US, O = Let's Encrypt, CN = R11                                                                             
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1                                                 
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256                                                             
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT                                         
---
1 Like
  1. we’ve disabled / reenabled universal ssl, changed the ssl/tls encryption mode to flexible, off, full, etc., removed all dns records and readded them, removed the domain from cloudflare and readded it (as well as paused it), and purged cache. the error is still occuring for some systems yet when a new domain was added and tested with the same settings it worked fine (edited)

  2. [5:17 PM]

perhaps revalidating the domain would work? when I used the other domain it worked shortly after the nameservers were added and the edge certificate status switched from pending validation to active. I’m unable to trigger a revalidation here when disabling / reenabling universal ssl that removes/adds the certificate (managed by cloudflare)

Following up here, this is very urgent and blocking a lot of traffic on our site.

As you can see in the following test results, I am unable to reproduce the symptoms you describe.

https://cf.sjr.org.uk/tools/check?5c11509db00945a19f75859860e95b3c#connection-server-https

As we said it works for some people it doesn’t for others. This is the issue and is not specific to our site alone. We’ve seen similar SSL certificate issues on other sites.

it seems to be a validation issue for some systems. the ciphers arent communicating correctly so it’s giving a handshake error.

If you have access to systems that are consistently having issues making a successful connection, it might be worth trying to identify any commonalities. There isn’t going to be much anyone in the Community can offer, since no one here has been able to reproduce your symptoms.

1 Like

We’re confident it’s an issue with our certificate, as we tested it out with a different domain name (which we now tookk off from cloudflare after testing) and the certificate worked fine. It’s definitely an issue with our existing domain aibverify.com

Can you either provide us with a new certificate or revalidate our domain?

It has been repeatedly demonstrated that your certificate is fine. Any errors you are encountering are, by your own admission, limited to specific clients, which means the problem is not caused the certificate, but rather by the client. Without the ability to reproduce the symptoms you describe, there is nothing anyone can do to help you here.

Maybe someone else will have another perspective, but I’m out of suggestions for you.

2 Likes

Whenever we try to access the site through our own devices and different internet service providers we get the following error:

I sincerely appreciate your assistance trying to help us through this issue. We’ve been attempting to fix this for well over 2 weeks and visited right about every forum and community with little luck. This issue stops a lot of traffic on our site.

We’re confident the certificate is the issue. It sucks that in your specific case your ISP and device allows you to access the site so you’re not getting the error, but this isn’t the case for majority of users. Even though you say the certificate is not the issue, we’d really appreciate if you can provide us with a one time new certificate or revalidate our domain.

You’d be saving us a lot of pain and trouble, because if that too does not work, we can switch services from Cloudflare. We have spent countless hours trying to fix this issue.

  1. openssl s_client -connect aibverify.com:443 -servername aibverify.com connect: Connection refused connect:errno=61

Can you post the output of the following?

curl -6 http://aibverify.com/cdn-cgi/trace

Go ahead and delete the “IP” line that has your home IP address.

That command should show which server you’re connecting to, and maybe someone at Cloudflare can see if there’s an issue there.

1 Like

We get the following (multiple people on our team tried it out, all the same result):

curl -6 http ://aibverify.com/cdn-cgi/trace
curl: (7) Couldn’t connect to server

We get the following (multiple people on our team tried it out, all the same result):

curl -6 http ://aibverify.com/cdn-cgi/trace
curl: (7) Couldn’t connect to server

We figured out the issue. It’s a conflicting c name and a record on Cloudflare. Do you know how we can change this? It has been incorrectly proxied.

(topic deleted by author)