SSL cipher mismatch...
 
Notifications
Clear all

[Solved] SSL cipher mismatch (handshake problem)

2 Posts
1 Users
1 Reactions
532 Views
(@ikanpar1)
Joined: 12 months ago
Posts: 2
Topic starter  

Hello, my server initially use Let's Encrypt for admin and web interface, and self-signed certificate for IMAPS.

I purchase a Sectigo Single Domain DV certificate, and deploy it on the server with:

zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/certs/mail_mydomain_com.crt /tmp/certs/mail_mydomain_com.ca-bundle

zmcertmgr deploycrt comm /tmp/certs/mail_mydomain_com.crt /tmp/certs/mail_mydomain_com.ca-bundle

Everything is well without error, but when I open my admin dashboard at https://mail.mydomain.com:6071 and the webmail interface at https://mail.mydomain.com, and check the mail with Thunderbird, everything is inaccessible.

Chrome error: "mail.mydomain.com uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH".
Firefox error: SSL_ERROR_NO_CYPHER_OVERLAP"
Thunderbird (with IMAPS) error: "Non overridable TLS error occured. Handshake error or probably the TLS version or certificate used by the server mail.mydomain.com  is incompatible"

I try to check handshake, the certificate works using IP address but not using hostname:

> openssl s_client -connect mail.mydomain.com:443 
CONNECTED(00000003)
40A7CAA7D67F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1586:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 331 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
> openssl s_client -connect 1.2.3.4:443 
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = mail.mydomain.com
verify return:1
---
Certificate chain
 0 s:CN = mail.mydomain.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 18 00:00:00 2024 GMT; NotAfter: Feb 17 23:59:59 2025 GMT
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
 3 s:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
   v:NotBefore: Jan  1 00:00:00 2004 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
(deleted)
-----END CERTIFICATE-----
subject=CN = mail.mydomain.com
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6251 bytes and written 377 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 8A9EB6F3EF869F9F38EC3B87B7F276388083CD3526802F4FE941E4523DC6942B
    Session-ID-ctx: 
    Resumption PSK: 7DB79AB4EA0F6931AA616690C38CA96E805BD182C75BEAE1E455A774A47AC49B24231D9D80CF3FA7D82356876F4EE078
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 07 69 45 e8 e0 9e b2 a1-28 62 7b dd 2a 17 d5 cf   .iE.....(b{.*...
    0010 - d8 c7 d1 81 c2 ed c4 b0-26 16 10 fb 95 79 5d 7e   ........&....y]~
    0020 - e6 19 c9 ea 1c 99 db 30-5c cc 76 4b 14 16 65 d1   .......0\.vK..e.
    0030 - 7a 05 f0 81 43 2d 60 70-0f 4f 4d 41 bf 14 22 c5   z...C-`p.OMA..".
    0040 - ca e3 7b d5 35 7a 98 f7-72 e4 4a e0 87 d5 49 1a   ..{.5z..r.J...I.
    0050 - 52 c0 23 7d f1 7a 95 34-8e 43 97 55 26 ed 7d 82   R.#}.z.4.C.U&.}.
    0060 - d2 1d 3a 68 ee f4 1a 02-09 c8 f0 3d ec bc 08 63   ..:h.......=...c
    0070 - 25 19 42 bf 92 11 0a 1a-00 34 c3 fa 69 a7 64 e7   %.B......4..i.d.
    0080 - 81 80 87 d8 4d 08 5e ec-88 86 9a 94 9c fe 85 de   ....M.^.........
    0090 - 82 aa ac 6e 73 32 ec 89-d3 ac de 33 38 de 75 93   ...ns2.....38.u.
    00a0 - 17 00 06 4c 0e 74 aa 21-51 4f 6f 78 56 36 62 fb   ...L.t.!QOoxV6b.
    00b0 - 7b 4b 30 bb 34 50 fe 87-5d 99 d4 da 15 24 57 05   {K0.4P..]....$W.
    00c0 - 01 ba 14 cb c9 31 21 73-64 75 48 e4 20 bf f1 45   .....1!sduH. ..E
    00d0 - 6d c9 a3 f0 78 38 a9 e8-ba e1 3d 17 12 28 13 c1   m...x8....=..(..

    Start Time: 1705600328
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 189274AA1DEA1C0B203B47C8EFDC0A3CB4EED8BF2B4EE5D8BD9389A97CC47B38
    Session-ID-ctx: 
    Resumption PSK: B045B63BE49617CDC98081CAB600E8C488BC83EC1B60A87AF1EAD413EA75D4250388C91116CE4E10CFFA0C36DBB2F0E2
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 07 69 45 e8 e0 9e b2 a1-28 62 7b dd 2a 17 d5 cf   .iE.....(b{.*...
    0010 - 0e 1e 77 33 ab c6 b4 36-c8 9c a9 35 f3 9a 6f eb   ..w3...6...5..o.
    0020 - d0 5d d7 dd ad 07 c2 8f-cd 5a 03 df a8 0b 20 e6   .].......Z.... .
    0030 - e0 e0 4c 3b 52 f2 c1 2a-7a 18 13 79 ac 29 0c 4c   ..L;R..*z..y.).L
    0040 - fb 2b 35 14 67 1e 66 8a-9d 78 70 80 e5 0b 77 69   .+5.g.f..xp...wi
    0050 - 63 33 45 ca d3 5f d8 0b-31 c3 20 97 15 ea 85 48   c3E.._..1. ....H
    0060 - a9 a3 dd f2 b9 f8 ba db-d5 6f fa b0 5d 88 fb f2   .........o..]...
    0070 - fc c5 58 4b 07 ca 9b 50-87 3c e1 c1 4d c3 63 a8   ..XK...P.<..M.c.
    0080 - df e4 d3 fe 3c f5 20 43-0b 5b 2c ab 97 76 85 ae   ....<. C.[,..v..
    0090 - 83 de b0 2d cc 72 d8 26-52 3d 13 5a b6 4d 33 63   ...-.r.&R=.Z.M3c
    00a0 - f4 be 2a d0 ed a6 d3 e3-54 31 9b 7e c5 2a ea 59   ..*.....T1.~.*.Y
    00b0 - 05 83 4d 6a 38 ba 02 7a-e7 76 2e ce c9 ea 95 2e   ..Mj8..z.v......
    00c0 - 03 02 dd a5 06 90 1f 65-1c ff a3 4c fa ff ba 92   .......e...L....
    00d0 - c1 0f f2 c6 cf b1 24 8a-79 47 1e f5 bf 4a 95 8e   ......$.yG...J..

    Start Time: 1705600328
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

Admin console and web interface can be accessed through the IP address, even when they throw that the certificate is wrong. I find it weird that on the Virtual Host section on the Admin Console, it still listed Let's Encrypt as the certificate. Any clue on how I can fix this?

 

Thanks!


   
Quote
(@ikanpar1)
Joined: 12 months ago
Posts: 2
Topic starter  

Update: this problem is solved. For anyone else who may encounter this error, the cause in my problem is virtual host with letsencrypt certificate with the same name as the host name of the server.

 

In the past, right after installation, I created a vhost with the same name as the host name of the server with letsencrypt certificate so https on admin panel and webmail work correctly. After I delete the vhost and the letsencrypt certificate, my commercial certificate is served correctly.


   
ReplyQuote