So, I was playing with an OpenWrt device, installed some packages (not related to TLS aka “SSL”)… I rebooted, and I couldn’t sign in to the web interface anymore…
Firefox just gave me an “SSL_ERROR_NO_CYPHER_OVERLAP”… Which should mean that the server and client don’t know any matching way to talk to each other securely…
So, I tried Safari, but that doesn’t work without modifying your system’s certificate trust settings and permanently trusting that cert… I don’t feel like doing that…
…So, I tried Chrome, no luck!
So, I tried to scan it, here’s the output:
Version: 2.0.10
OpenSSL 3.0.1 14 Dec 2021
Connected to 172.18.10.30
Testing SSL server 172.18.10.30 on port 443 using SNI name 172.18.10.30
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 enabled
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLSv1.3 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve P-256 DHE 256
Accepted TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve P-256 DHE 256
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve P-256 DHE 256
Server Key Exchange Group(s):
TLSv1.3 81 bits sect163k1
TLSv1.3 81 bits sect163r1
TLSv1.3 81 bits sect163r2
TLSv1.3 96 bits sect193r1
TLSv1.3 96 bits sect193r2
TLSv1.3 116 bits sect233k1
TLSv1.3 116 bits sect233r1
TLSv1.3 119 bits sect239k1
TLSv1.3 141 bits sect283k1
TLSv1.3 141 bits sect283r1
TLSv1.3 204 bits sect409k1
TLSv1.3 204 bits sect409r1
TLSv1.3 285 bits sect571k1
TLSv1.3 285 bits sect571r1
TLSv1.3 80 bits secp160k1
TLSv1.3 80 bits secp160r1
TLSv1.3 80 bits secp160r2
TLSv1.3 96 bits secp192k1
TLSv1.3 96 bits secp192r1
TLSv1.3 112 bits secp224k1
TLSv1.3 112 bits secp224r1
TLSv1.3 128 bits secp256k1
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits brainpoolP256r1
TLSv1.3 192 bits brainpoolP384r1
TLSv1.3 256 bits brainpoolP512r1
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448
TLSv1.3 112 bits ffdhe2048
TLSv1.3 128 bits ffdhe3072
TLSv1.3 150 bits ffdhe4096
TLSv1.3 175 bits ffdhe6144
TLSv1.3 192 bits ffdhe8192
SSL Certificate:
Signature Algorithm: ecdsa-with-SHA256
ECC Curve Name: prime256v1
ECC Key Strength: 128
Subject: OpenWrt
Issuer: OpenWrt
Not valid before: Oct 17 22:04:07 2021 GMT
Not valid after: Oct 18 22:04:07 2023 GMTExcept for some weak key exchange groups, doesn’t seem anything wrong with it…
So, here’s how I fixed it… I did SSH into it as root, and did this:
opkg update
opkg install libmbedtls
service uhttpd restartAnd now it works! Magic! 🤷🏻♀️
Note: OpenWrt seems to use WolfSSL by default instead of libmbedtls.
Anyway, I hope this fixes it for you too.
This is really helpful. I keep running into this, and then I search and I find your blog and I remember “oh yeah, that’s how you fix it!” My problem is that I’ve installed libmbedtls and restarted uhttpd and its fine. Then I reboot (from inside Luci). After I reboot, I’m back to the SSL_ERROR_NO_CYPHER_OVERLAP error. I ssh into my router, run `service uhttpd restart` and the error goes away.
Any ideas what I can do so that it comes up right on reboot every time?