SSL_ERROR_NO_CYPHER_OVERLAP and authentication failure on GL-MT300N v2/21.02.1

I just installed plain vanilla OpenWrt 21.02.1 on my GL.iNet GL-MT300N v2 to have more space on /overlay. GL.iNet's stable is based on 19.07.8 and has only about 4 MB in /overlay. And their 21.02-based firmware is still in development.

Sooo. I installed it and tried to access Luci. I had two problems:

  1. https from Firefox 96.0 on Ubuntu 21.10 does not work with this message:

An error occurred during a connection to Cannot communicate securely with peer: no common encryption algorithm(s).

  1. When I fall back to HTTP, I still can't log in. That more in my yard, so I ran tcpdump and strace to see what happens. Turns out that Luci is refusing access with:
    HTTP/1.1 403 Forbidden
    I can see that there is some communication with Ubus and then Luci sends the 403. I was unable to snoop the Ubus communication (no output from ubus listen).

Thanks for hints

related Firefox error SSL_ERROR_NO_CYPHER_OVERLAP when using Luci HTTPS access ?

how is related to openwrt ?

Sorry, that's a miss. As I wrote, I'm using Firefox 96.0 on Ubuntu 21.10. I do not normally install Microsoft software on Linux, and especially not antivirus snake oil.

This is a direct communication between Firefox and uhttpd. is just the hostname I use for experimenting with OpenWrt, and that's the only relation. It's called splat because things can go SPLAT!! when experimenting...

Sounds like you in fact do not have "plain vanilla".
I have one here and reflashing using the uboot UI it works perfectly.
Did you reflash using luci on the GL oem OpenWrt and save config by any chance?

No cypher overlap means that the browser and the server can't negotiate to use a mutually supported cypher. This is usually because the browser insists to use only newer more secure cyphers that are not installed in the server.

Since you're using the GL build you need to seek help from them.

I had used uBoot to install the GL-iNet version in the meantime, but this time I did not install plain vanilla through the GL-iNet web interface but also using uBoot.

The login problem remains.

But the cypher problem is gone. Only the good old MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT tries to prevent me from using HTTPS. So I must have made a mistake in the first round. I'm quite sure I did turn off keeping the config, but you never know what they changed there.

Lesson learned: use uBoot if available. It's simpler to use than TFTP also simpler in what it does.

Just add an exception in Firefox and you won't see the error.

I installed the plain vanilla version again, with uBoot. I immediately tried to log in via Luci, with no password set yet. Still does not work. Reboot, try again. Nope.

Then I had an idea - what about old cookies? There where 18 of them for I normally switch to a 172 addres right after installation, so why are there so many? I can't find out anymore, I just removed them wholesale and Presto! login works.

Maybe somebody could check Luci to see why this could happen?