Forum Discussion
- Krishna_388466Altostratus
err_ssl_version_or_cipher_mismatch is the error message
- Samir_Jha_52506Noctilucent
Can you please share the error message which you are seeing Google chrome? I am suspecting that chrome has removed RC4 cipher in chrome v48..
- Samir_Jha_52506Noctilucent
RC4 is disabled by chrome.
Run below in chrome browser
chrome://flags/ssl-version-max
Then change the maximum TLS version enabled from default to TLS 1.3
And select tls1.3 will work. Try n confirm.
- Krishna_388466Altostratus
Thanks. When I tried the above option in chrome://flags/ssl-version-max,I dont see any settings related to tls1.3 or ssl..
Hi Krishna,
please post your Client SSL Profile cipher string. Maybe we can optimize it further...
Cheers, Kai
- youssef1Cumulonimbus
Hi,
You can take a packet capture of the ssl handshake (with ssldump) to see exactly which ciphers are being negotiated and selected.
https://support.f5.com/csp/article/K10209
Then check if you find a reference in chrome support/forum that talking about your problem.
SO first capture traffic then check with ssldump which ciphers/protocol are negotiated it will be helpfull for your to find a solution...
Regards
Hi Krishna,
just tested the cipher support of Chrome. Chrome does not support the cihper called AES256-SHA256 (ID 61). It does only support AES256-SHA (ID 53) or AES256-GCM-SHA384 (ID 157) if you require a (non-DH) RSA based AES256.
Qualys SSL Labs: SSL/TLS Capabilities of Your Browser
https://www.ssllabs.com/ssltest/viewMyClient.html
To workaround this limitation, I would recommend to change your cipher string to include
as well asAES256-GCM-SHA384
. The GCM is considered more secure than CBC, so you will more or less increase the security of those browser who support this chiper spec.AES256-SHA256
[root@f501:Active:Standalone] / tmm --clientcipher 'AES256-GCM-SHA384:AES256-SHA256:-SSLv3:-DTLSv1:-TLSv1:-TLSv1_1' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 1: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA [root@f501:Active:Standalone] /
Cheers, Kai