Ssl – No common encryption algorithm(s) (ssl_error_no_cypher_overlap)

opensslssl

My clients are reporting this error. I cannot reproduce it. What's more, I cannot detect any flaws: http://www.digicert.com/ http://www.ssltest.net/ https://www.ssllabs.com/ssldb/ all report dev.anuary.com to have a valid cert. I've Google(ed) for ssl_error_no_cypher_overlap, but none of the threads provided any useful guidance.

Cannot communicate securely with peer: no common encryption algorithm(s)

(Error code: ssl_error_no_cypher_overlap)

CentOS release 6.2 (Final)
OpenSSL 1.0.0-20.el6_2.3
nginx 1.0.15-1.el6.ngx
Using http://www.networksolutions.com/SSL-certificates/index.jsp Wildcard certificate.

Best Answer

As it turns out the issue was that:

Since version 1.0.5, nginx uses “ssl_protocols SSLv3 TLSv1” and “ssl_ciphers HIGH:!aNULL:!MD5” by default

(http://nginx.org/en/docs/http/configuring_https_servers.html#chains)

I've added the following to my settings and it works.

ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers          HIGH:!aNULL:!MD5;

Related Solutions

OpenSSL – Choosing the Encryption Algorithm for OSX ssh-keygen

I am not sure about how to get ssh-keygen to create a key using a specific encyprption algorithm.

You could generate your key using OpenSSL directly.

# create 1024 bit rsa and encrypt with des3 
#    make sure you set your umask or chmod this so that it is 0600, 
#    or else ssh will refuse to use it.
openssl genrsa -des3 -out .ssh/id_rsa 1024
# export an ssh public key
ssh-keygen -y -f .ssh/id_rsa > .ssh/id_rsa.pub

You could also convert the cipher of an existing key after the fact using OpenSSL.

openssl rsa -in id_rsa -out newkey_id_rsa -des3

See: genrsa(1), rsa(1), and ssh-keygen(1) for a list of the various options.

SSLCipherSuite – Disable Weak Encryption, CBC Cipher, and MD5 Algorithm

If their only complaint is MD5-based MAC, you should be able to simply add the !MD5 element to your existing cipher suite to meet the recommendation.

That said, I see they complain about the use of the CBC mode as well. Unfortunately, there is no CBC cipher group. The recommendation given to you also does not exclude CBC mode cipherspecs, at least on my version of openSSL (1.0.1e). This is a shame. If you need all such ciphers to be excluded, you could exclude all the CBC ones explicitly, though you will have to update that as they are included. Note that even HIGH includes CBC ciphers.

Including both ALL and RC4+RSA is redundant. I would be loathe to trust a security consultant (even a computerized one) that cannot even construct a well-formed cipherspec that meets their own recommendations.

The SSLCipherSuite takes an OpenSSL cipher spec. You can find this in the openssl documentation (link), but I find that this documentation is usually quite out of date. However, you can test one by running openssl ciphers ${cipherspec} on your server; output will be a :-separated list of ciphers that would be allowed by the given spec, or an error indicating none were allowed.

Similarly, if you want to know what LOW contains, do:

falcon@tiernyn ~ $ openssl ciphers 'LOW'
EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:ADH-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5

!LOW means to exclude those ones. +HIGH means to prefer the high-security ones in the ordering.

If you want a line-delimited list of all the ciphers that use CBC in your cipherspec, do:

openssl ciphers ${cipherspec} | sed 's/:/\n/g' | grep CBC

Those are the ones you'd have to exclude. You may, however, find it more reasonable to grep -v CBC and include only those (just set them up in a :-delimited list and use that as the cipherspec).

Best Answer

Related Solutions

OpenSSL – Choosing the Encryption Algorithm for OSX ssh-keygen

SSLCipherSuite – Disable Weak Encryption, CBC Cipher, and MD5 Algorithm

Related Topic