SSL Handshake Fails with Browser Errors: ERR_SSL_PROTOCOL_ERROR, ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, SSL_ERROR_NO_CYPHER_OVERLAP, ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY (Doc ID 1955915.1)

Last updated on APRIL 27, 2017

Applies to:

Oracle HTTP Server - Version 10.1.2.0.0 and later
Weblogic Web Server - Version 9.2 and later
Oracle Fusion Middleware - Version 10.1.2.0.0 and later
Oracle WebLogic Server - Version 12.1.1.0 to 12.1.1.0 [Release 12c]
Information in this document applies to any platform.

Symptoms

SSL Handshake Fails with Browser Errors: ERR_SSL_PROTOCOL_ERROR, ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, SSL_ERROR_NO_CYPHER_OVERLAP,  ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

When users access an application using https:// it is not working. The error seen will depend on the browser and the actual problems it detects, but is usually a result of updating to a newer browser version attempting to ensure you are reaching secure sites:

-- Chrome provides a very popular error as it is checking for protocol negotiation:

ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION (for TLS negotiation issue)

"Server has a weak ephemeral Diffie-Hellman public key" (when a DHE_EXPORT ciphersuite is enabled on a server but not on a client)

-- Firefox will provide something like this depending on version and application, though it is more related to ciphers used in the handshake:

Advanced info: ssl_error_no_cypher_overlap or ssl_error_weak_server_ephemeral_dh_key or NS_ERROR_NET_RESET

-- Microsoft browsers will usually say "Page Cannot be Displayed"

-- Java clients may have similar issues, a connection attempt may fail with the following:

javax.net.ssl.SSLException: Received fatal alert: illegal_parameter

-- When looking in the logs for the Oracle HTTP Server, these error are seen:

SSL call to NZ function nzos_Handshake failed with error 29014
SSL call to NZ function nzos_Handshake failed with error 29049
SSL call to NZ function nzos_Handshake failed with error 28864


Errors may differ depending on version and http server product in use. The basic symptom is that the SSL handshake fails and the client closes the connection.

You are then sent to investigate the server side SSL configuration to ensure it is configured to perform a secure handshake as expected. It may depend on the protocol and/or cipher in use.

 

Changes

Update Client

Problems occur after users have updated client browsers, Chrome, Firefox, Internet Explorer, etc. The problems start happening after various SSL related security alerts against lower protocol versions and weak ciphers that have otherwise been popular but now deprecated because of their insecure nature. This could also happen on a new installation and new configuration of SSL.

- The key point is it works on an older browser, fails on a newer browser (or other client).

- Note there are different errors here, so there are different root causes for each. The solution can be consolidated into updating protocols, ciphers and certificates for newer SSL standards.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms