Firefox error SSL_ERROR_NO_CYPHER_OVERLAP when using Luci HTTPS access

Hello,
I have installed OpenWRT 18.06.1 on my Netgear 6220 router. I have configured HTTPS protocol (with my own self-signed certificate generated with openssl) and configured Luci to use it.

Until yesterday everything had worked flawlesly. Suddenly all browsers stopped connections to router using HTTPS protocol. Firefox displays error SSL_ERROR_NO_CYPHER_OVERLAP.

I cannot spot the reason for this error. I have upgraded packages in OpenWrt but this did not resolve problem. Nor did reinstalling libustream-mbedtls with dependencies.

I can connect with my router by HTTP and SSH without any problem, and besides HTTPS problem router seems to work fine.

Wojtek

Firefox 63.0.1 was released a few days ago, maybe it's related? I don't get this error, but I'm using libustream-openssl. It could also be caused by anti virus software intercepting the request.

My guess is that it is related to changes in TLS support in the browser, combined to features in SSL libraries and uhttpd.

You said "all browsers". I assume that you have tested at least Firefox, chrome and IE or edge.

Could you list the exact versions of the libraries you are using. And the browsers.

You might also check from Firefox security settings that older TLS versions are still supported.

Quite possible that browser hardening now disables some ciphers that have been in mbedtls in 18.06

I just tested:

  • current OpenWrt 18.06-SNAPSHOT r7365-91a8bc1dd0
  • libmbedtls - 2.12.0-1 and libustream-mbedtls - 2018-05-22-5322f9db-1

Works with Firefox 64.0b6

image

Some ideas for you:

  • Remove the current self-signed certificate, restart uhttpd and let uhttpd to create a new one.

My versions:
OpenWrt 18.06.1 r7258-5eb055306f
libmbedtls - 2.12.0-1
libustream-mbedtls - 2018-05-22-5322f9db-1

Firefox 63.0.1 - error as in topic subject
Chrome 70.0.3588.77 - ERR_NETWORK_CHANGED
Edge 17.17134 - cannot securely connect with web site
Opera 56.0.3051.52 - same error as Chrome

I have removed self signed certificates. After reload uhttpd regenerated certificates, however it did not resolve my problem.

I suspected the ciphers to be a problem source however have no idea how to deal with it. Maybe replacing mbedtls with openssl libraries will be a solution?

You can try that.
I normally use openssl-based libustream, but just installed mbedtls for testing for you.

You do not need to uninstall libmbedtls, as it should be enough to install libopenssl, uninstall libustream-mbedtls and install libustream-openssl.

I went to the other direction for testing, so you should do the mirror thing than I...

   opkg update
   opkg install libmbedtls
   opkg remove --force-depends libustream-openssl
   opkg install libustream-mbedtls
   rm -rf /tmp/luci*
   /etc/init.d/uhttpd restart
1 Like

Are you using some proxy, cache, antivirus?

I am just thinking that there is a man in the middle, which hijack/changes the https traffic.

Note that other browsers than Firefox do not complain about cipher, but that "network changed" or a generic error.

Googling for ERR_NETWORK_CHANGED reveals quite various fix proposals. But none have anything specific to do with SSL library.

I have installed libustream-openssl however problem is still not resolved.

Problem with Chrome comes probably from Bitdefender firewall - they do not like each other - a few months ago Chrome claimed that Bitdefender is dangerous and should be uninstalled.

What is the purpose of rm -rf /tmp/luci* ?

Thanks for help.

It looks like Bitdefender is the root of the problem. I disabled SSL scanning and I was able to connect to my router with HTTPS. Then I installed certificate generated by router to Windows 10 CA Root store and then I was able to use HTTPS.

So it is most probably some problems with Bitdefender.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.