bypassing the “ssl_error_no_cypher_overlap” error in Firefox 34

Generally speaking, it’s a bad idea to override security protocols browsers have instituted as they are designed to keep you safe on the internet (in the “less likely to be hacked” sense).  However, with a recent update to Firefox 34, a website I use all the time for my research that is run by my university was no longer allowing me to login.  Instead, I was receiving this message:

ssl1

Since I know the website is safe (I’ve used it thousands of times over the last seven years), I needed to bypass this security protocol in Firefox.  After some googling for solutions, I found one, but it wasn’t very clear.  So, here’s what I did with screen captures for assistance…

1) Open a new tab in Firefox and type “about:config” in the URL bar (without the quotes, of course):

ssl3

2) You’re likely to get another warning message saying “This might void your warranty!” (see screen capture below)  Firefox is trying to keep you from making changes to the underlying settings of the browser.  Promise to be careful and move on:

ssl2

3) Once you click on the “I promise to be careful” button, you’ll see a search box and a huge list of settings:

ssl4

4) In the search bar, enter the following (without the quotes): “security.tls.version.”:

ssl6

5) You’re going to change two of those settings.  First, right-click on the setting “security.tls.version.fallback-limit” and select modify.  You’re going to change the “1” to “0”.  Then do the same thing with “security.tls.version.min”, changing the “1” to “0”.  You should now see the following:

ssl5

6) Now trying loading the page that was giving you the security warning.  It should load.

NOTE: Keep in mind, you have now made your browser less secure.  Really what you should do is contact the administrator of the website that isn’t loading and tell them that they need to update their security on the website so you don’t have to expose yourself to greater security risks.  But, if this is an essential website for you to use in the meantime, this should get you around the issue.

Loading


Posted

in

by

Comments

70 responses to “bypassing the “ssl_error_no_cypher_overlap” error in Firefox 34”

  1. Daniel Fischer Avatar

    Sadly, even this didn’t help – could you please check whether *your* Firefox can access after the fix you describe? (An older Opera version has no problems with that site.)

    Thanks!

    1. ryan Avatar

      Hi Daniel,

      You’re correct. That site is still not loading even with the changes in place. Not sure why it isn’t working. My only suggestion would be to try adjusting some of the other SSL settings (in the about:config window of Firefox, type “security.ssl” and you’ll be able to see about 20 different options that you could modify to see if they allow you to access that site). If you figure it out, please come back and post here to let us know what worked.

    2. June Myklebust Avatar
      June Myklebust

      the first setting that was said to change from 1 to 0 on my pc was at 3 changing to 0 did not work but changing it to 1 {from 3} worked.

      1. Adam Avatar
        Adam

        Thank you that worked for me.

      2. Pedro Sá Avatar

        This worked for me too. Thank you very much!

  2. G. Koelman Avatar
    G. Koelman

    In windows10 it was not possible logging in in https://“remote draytek router”:443.
    This solution fixed the job.

    1. John Avatar

      Had the same issue accessing our Draytek on 8.1. Once again, this solution fixed the problem on Firefox. Very many thanks!

  3. Alex Avatar
    Alex

    thnx man!

  4. Nik Avatar
    Nik

    Problem is that – after a look at the traffic via Wireshark – FF34 still sends “SSL 3.0 Client Hello” (Version: SSL 3.0 (0x0300)) while the server then responds with a “Level: Fatal – Handshake Failure”, and FF just displays the erroneous message about “Firefox cannot guarantee the safety of your data on localhost because it uses SSLv3, a broken security protocol.”, which is completely rubbish. This is clearly a bug in FF.

  5. Phil Avatar
    Phil

    Thanks Man!

  6. Bob Farrow Avatar
    Bob Farrow

    Thanks you for diagnosing this problem and having the patience and kindness to publish it.

  7. Paul Avatar
    Paul

    Thank you for the instructions, this worked.

  8. Aldo Avatar
    Aldo

    The procedure described here works perfectly for my case: I had a configuration page for a server with limited possibilities to manage certificates (only a self-signed certificate was available) that was no longer working after latest updates of firefox and chrome. Now it works again.

    Thanks a lot!
    Aldo

  9. Trepa Avatar
    Trepa

    You can globally re-enable connecting to ssl by going into about:config
    search for the preference named security.tls.version.min. double-click it, change its value to 0 and restart the browser.

  10. P S Kundu Avatar
    P S Kundu

    (Error code: ssl_error_no_cypher_overlap) how to overcome?

  11. Haakon Avatar
    Haakon

    Thanks a lot, this helped me log in to our old unsecure UPS adminpage 🙂

  12. Rajesh Avatar
    Rajesh

    Thanks a lot

  13. Anna Avatar
    Anna

    Worked Thank u

  14. ark Avatar
    ark

    Thank you, perfect. It worked

    1. bill Avatar
      bill

      i used internet explorer to access the site that fire fox would not let me access due to the error code and had no problem

  15. Ed Avatar
    Ed

    Thanks — I just ran into this problem and your fix worked.

  16. Anil Avatar
    Anil

    thanks bro

  17. Funkyy Avatar
    Funkyy

    Thanks a million for the solution. I had been trying all day to enter a page of the Tax Dept and kept getting the error message. I tried your solution and it worked first time. I also reset the changes back to normal afterwards. Thanks again, this was very important for me.

  18. bill@srnm.net Avatar
    bill@srnm.net

    Great! I have tried several fixes with no luck. This one worked. Thank you!

  19. Rob Avatar
    Rob

    Thanks, this worked, but:
    ” Really what you should do is contact the administrator of the website that isn’t loading and tell them that they need to update their security on the website so you don’t have to expose yourself to greater security risks.”

    Can someone tell American Airlines that?

  20. Harry Gebel Avatar
    Harry Gebel

    Ryan, you say you know the website is safe, but in fact it is not. It is still using SSL v3.0 which is vulnerability not just for you but for the website as well. The only way to make it safe is to convince the administrators to stop allowing SSL v3.0, not to bypass the browsers protections. The fact that you know the website operators have no bad intentions is not relevant, as this vulnerability can be exploited without the cooperation of the website administrators, or even of anyone connect with the website. If you do have to access the website, please turn the protections back on when you are finished.

  21. ryan Avatar

    Alas, I don’t. The reason why I was figured it out on Firefox was because I couldn’t figure it out on Chrome. Do you really need to use Chrome on that website? If so, another option would be to use an older version of Chrome. You could set up a virtual machine using something like Virtual Box and install an older version of Chrome on that. That would get around it if you really need to. Not sure what to tell you with the latest versions other than to tell the website host to update their site.

  22. Vulk Avatar
    Vulk

    This worked perfectly on firefox.

    However, I’m having the exact same problem in Google Chrome but it presents itself as a timeout limit error. I have uninstalled/reinstalled, restarted, and even performed a system restore and the problem persists on Chrome for the same website with https which now works on Firefox due to your fix.

    Do you have any suggestions to make this fix on Chrome? I would appreciate it.

  23. Rick Avatar
    Rick

    Thank you for publishing this. It fixed my problem accessing a local utility site.

  24. vegesoft Avatar
    vegesoft

    Excelente, me funciono para la siguiente url “

  25. Lucy Avatar
    Lucy

    This is bad advice. You should add the domains you want to bypass to this about:config entry: security.tls.insecure_fallback_hosts

    Separate them by commas. See the solution here – https://support.mozilla.org/en-US/questions/1058193#answer-719770

    This allows you to *only* bypass the security for sites you trust/must access. Not for everything.

    1. ashraf nalakath Avatar
      ashraf nalakath

      this is working fine for me

    2. Havs Avatar
      Havs

      THANK YOU! THANK YOU! THANK YOU! This did the trick to reach my Juniper SSGs.

    3. Claudia Lertora Avatar

      Thanks very much Lucy! 🙂 This worked perfectly for me (I’m using a firefox portable)

    4. Rick Avatar
      Rick

      Many thanks Lucy, your post did help me a lot…

    5.  Avatar
      Anonymous

      Thanks Lucy. Adding hosts (I added IPs in my case) in security.tls.insecure_fallback_hosts finally allowed me to bypass this error. All other suggested fixes did not work.

    6. Rene Avatar
      Rene

      Good Answer!
      Used it myself.

  26. anxelm Avatar

    the combination of you and lucy solved my problem. many and much thanks to you both. well, lucy, that’s better advice. (p.s. after my successful login, i removed the domain from security.tls.insecure_fallback_hosts and it still worked – i think i have had a ‘bad’ certificate)

    anx

  27. laks Avatar
    laks

    Thank you for the steps.

  28. ahmad jahri Avatar
    ahmad jahri

    thank you

  29. Rain Avatar
    Rain

    No with Firefox version 39 they have “fixed” this solution. Still not working 🙁

  30.  Avatar
    Anonymous

    Thanks!!! It works!!!

  31.  Avatar
    Anonymous

    Explanation and advice by Lucy (above comment) seems wise. However it needs to be tested!!! The hack mentioned in the post is perfect :)!!!

  32.  Avatar
    Anonymous

    you’re fantastic!
    Thanks a lot!

  33. Rick Avatar
    Rick

    The solution posted in this article previously worked for me, but no longer works in version 39.0. I gave up looking for a fix and went with a different browser.

  34. Sidharth Avatar
    Sidharth

    I was unable to open most of the https sites on my computer at college lab. The computer runs Firefox 12.0. This version of Firefox does not have the options “security.tls.version.” and “security.tls.version.min”. Instead it had the option “security.enable_tls”. It was set to ‘false’ by someone. Toggling it to ‘true’ made the https sites load.

    1. JD Avatar
      JD

      This worked for me .Thanks a lot.

  35. Mukharjee Pinapaka Avatar

    please add -keyalg RSA while generating key . this will solve the problem

  36. Richard Avatar
    Richard

    You sir are the greatest person to have ever lived! worked like a charm. 😀

  37. Henk Avatar
    Henk

    Only security.tls.insecure_fallback_hosts worked for me – thanks Lucy!

  38. Mavil Avatar
    Mavil

    If it doesn’t work just set this option security.tls.unrestricted_rc4_fallback;true
    and that’s it!

    🙂

    1. Bruce Greyhame Avatar
      Bruce Greyhame

      You sir are a genius!!! NOTHING worked on here but your suggestion/solution worked!!!

  39. jan Avatar
    jan

    For me works following:
    security.tls.version.fallback-limit;1
    security.tls.version.max;3
    security.tls.version.min;1
    services.sync.prefs.sync.security.tls.version.max;false
    services.sync.prefs.sync.security.tls.version.min;false

  40. Bryan D Avatar
    Bryan D

    I completed the following and it worked for me:
    1. security.tls.unrestricted_rc4_fallback – toggled to true
    2. security.tls.version.fallback-limit – set to “0”
    3. security.tls.version.min – set to “0”

    Ryan, thanks for the nudge in the right direction!

    1. suse Avatar
      suse

      This exact setup worked for me as well.

  41. Stefan Freinatis Avatar

    With Firefox 50.0 none of the above mentioned advices worked for me. I’m still staying unable to log into my local area network connected SNOM370 IP phone.

    1. Stefan Freinatis Avatar

      Update — the RC4 support has been completely removed in FF50 as stated in https://www.fxsitecompat.dev/en-CA/docs/2016/rc4-support-has-been-completely-removed/. Yep, owing to this paternalism by Mozilla, I cannot HTTPs my phone next to me.

    2. Roger Lee Avatar
      Roger Lee

      Yes, it appears that you really need to keep the Firefox 49.0.2 installer on hand now. Turn off all updating, install 49.0.2 and add the domains you want to bypass to about:config entry: security.tls.insecure_fallback_hosts (Thanks, Lucy!)

  42. Donald Avatar
    Donald

    The solution from Bryan (10/13/2016) did work for me too. I had firefox 51, downgraded to firefox 49 and implemented solution.

    1. Holger Avatar
      Holger

      Thx for clearification about dropped RC4 support in version 50. I was struggling with problems for weeks.
      I solved it temporarily be using an old IE to access the two sites causing me problems.

  43. Molls Avatar
    Molls

    Hiya! Sadly when I typed in “security.tls.version.” It did not work 🙁 and I have a report due soon! Any suggestions?

    1. Molls Avatar
      Molls

      (and yes I typed it without the quotations)

      1. ryan Avatar

        I just checked in the latest version of Firefox and it still pulls up. Did you type “about:config” in the browser URL bar first? Then, in the Search box below that, search for security.tls.version? If so, you should find it.

  44. magic hands Avatar
    magic hands

    I used a old copy of Firefox-Portable I still had from 2013. It is version 21, so it connected with no changes needed.

  45. Mark Avatar
    Mark

    None of these workarounds — absolutely *NONE* of them — works with FF 56. Looks like I’m stuck forever with “ssl_error_no_cypher_overlap” if I want to keep using FF, particularly whenever I try to log into Amazon.com

    Utterly absurd.

  46. Usman Avatar
    Usman

    worked…thanks

  47. barebones Avatar
    barebones

    Amazing! A straight forward, easy to follow solution that actually works. I just updated to Firefox 62.?, the UN was diddling with the Internet over the weekend, and the Sunnyvale crud were pre-election deleting conservative sites . I still don’t know what caused the problem, but it is now avoided. I’m using Kaspersky so hope it helps with security.

  48.  Avatar
    Anonymous

    ?

  49. Noah Avatar
    Noah

    This error can also be caused by BT Webprotect blocking a site by mistake, so if you are with BT this is worth checking too.

  50. james Avatar
    james

    Hello am using firefox3.6.28 the error still persists despite am using windows cp so i cant update to the latestet version any assistance

Leave a Reply

Your email address will not be published. Required fields are marked *