Web GUI SSL error ERR_SSL_VERSION_OR_CIPHER_MISMATCH

philled

I tried to log into my web GUI today but got "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" in Chrome. Firefox and Edge had the same problem.

So then I updated pfSense to version 2.4.4, but still had the same problem.

So I reset the LAN settings through the console which asked me if I wanted to use HTTP for the web configurator and I said yes.

But now when I try to log in over HTTP I can see a message on the console saying "Successful login" but the pages don't come up - I'm stuck on the login page.

So how can I either:
a) Get the web GUI working over HTTP, or...
b) Revert to using HTTPS and resolve the SSL issues that Chrome doesn't like?

jimp

Switching from HTTPS to HTTP means you'll probably need to clear your cookies and cache in the browser, or use incognito mode, since your browser probably thinks it must use HTTPS thanks to HSTS and the flags in the cookies.

We've had a couple similar reports of that error but nobody has definitively proved it was anything on the firewall doing it. In one case, a user moved the GUI to another port and it was fine with identical settings.

Do you have any packages installed/active or port forwards that might be trying to use port 443 on your firewall and sending the traffic to another process or server?

philled

@jimp said in Web GUI SSL error ERR_SSL_VERSION_OR_CIPHER_MISMATCH:

Switching from HTTPS to HTTP means you'll probably need to clear your cookies and cache in the browser, or use incognito mode, since your browser probably thinks it must use HTTPS thanks to HSTS and the flags in the cookies.

Thanks for the tip - by opening an incognito tab I can now log in and access the web UI over HTTP. That will keep me going until I can sort out the underlying SSL issue.
Thanks!

Rich Taylor-Worth

@jimp

Does the web server in pfsense use SSL 2 still? Microsoft now only supports SSL3 and TLS1.0 through 1.2.

This is my suspicion since I am having the same problem on Microsoft machines but not on Linux or Macs where I am allowed to overide the SSL ERROR NO CYPHER OVERLAP. Of course on my internal network I can use HTTP but I would prefer not to for very long. It is also convenient to be able to access PFSENSE from Windows 10. Just a thought. Thanks for looking into this.

Grimson

https://forum.netgate.com/topic/137390/ssl_error_no_cypher_overlap-when-trying-to-connect-to-webgui

jimp

The GUI does not support SSL2, or even SSL3 or TLS 1.0.

                ssl_protocols   TLSv1.1 TLSv1.2;
                ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

Though it's possible you have something else local, like an Anti-Virus package, interfering.

Rich Taylor-Worth

Thanks so much. Good to know. Excuse my ignorance but I cannot completely reconcile your description
of the ssl ciphers supported with Microsoft’s descriptions of their supported ciphers at release 1809 of Windows 10 at this url: https://docs.microsoft.com/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-10-v1809

Would you mind glancing at their list and confirm an overlap? Perhaps then I might force a group policy to allow me to use https on windows 10.

Again thanks for your time or anyone’s time on this issue. I will continue to investigate locally.

Rich Taylor-Worth

Mea Culpa. Laptops loaded with BITDEFENDER 2019 are using encrypted web scan protection even when an exception is loaded for PFSENSE firewall which is triggering the error. Turning off encrypted web scan under online web protection allows the correct self-signed security error under the browsers which may be overridden.

Thanks for all. Off I go to Bitdefender to ask them to truly honor added exceptions. Sigh.