Chrome 41 ERR_SSL_VERSION_OR_CIPHER_MISMATCH Tomcat 7

Question

Since I have updated Chrome from Version 40 to 41, I no longer can access my ssl site running in a local tomcat 7 instance. I have a self signed certificate.

Chrome just

Answer 1

I doubt its an SSL/TLS protocol version problem. Most of the time this error means the server and client couldn't agree on which cipher to use. Take a look at this blog post: https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat/ on how to enable a secure and compatible cipher suite in Tomcat.

Answer 2

If you came here from Google and since this is the highest ranking 'ERR_SSL_VERSION_OR_CIPHER_MISMATCH' entry:

another explanation is that you started an nodejs https or express server with invalid or empty credentials. The irritating bit is that the server starts without complaining and ssl seems to work, but the negotiation between browser and server fails with this error.

Answer 3

I had the same problem with my Java EE web application running with a self signed certificate on Wildfly 8.1.

You are probably using a 1024 bit DSA public key with your selfsigned certificate and Chrome stops/stopped supporting DSA(DSS).

Creating a RSA 2048 certificate and using it with your web application should solve your problem.

Answer 4

In the Tomcat server.xml file you can set ciphers attribute in the SSL/TLS <connector/> element.

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
         TLS_ECDHE_RSA_WITH_RC4_128_SHA,
         TLS_RSA_WITH_AES_128_CBC_SHA256,
         TLS_RSA_WITH_AES_128_CBC_SHA,
         TLS_RSA_WITH_AES_256_CBC_SHA256,
         TLS_RSA_WITH_AES_256_CBC_SHA,
         SSL_RSA_WITH_RC4_128_SHA"

This solved the problem in my case for ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Chromium / Chrome and for ssl_error_no_cypher_overlap in Firefox.