So, I was playing with an OpenWrt device, installed some packages (not related to TLS aka “SSL”)… I rebooted, and I couldn’t sign in to the web interface anymore…

Firefox just gave me an “SSL_ERROR_NO_CYPHER_OVERLAP”… Which should mean that the server and client don’t know any matching way to talk to each other securely…

So, I tried Safari, but that doesn’t work without modifying your system’s certificate trust settings and permanently trusting that cert… I don’t feel like doing that…

…So, I tried Chrome, no luck!

So, I tried to scan it, here’s the output:

Version: 2.0.10
OpenSSL 3.0.1 14 Dec 2021

Connected to

Testing SSL server on port 443 using SNI name

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   enabled

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

TLSv1.3 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve P-256 DHE 256
Accepted  TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve P-256 DHE 256
Accepted  TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve P-256 DHE 256

  Server Key Exchange Group(s):
TLSv1.3  81 bits  sect163k1
TLSv1.3  81 bits  sect163r1
TLSv1.3  81 bits  sect163r2
TLSv1.3  96 bits  sect193r1
TLSv1.3  96 bits  sect193r2
TLSv1.3  116 bits  sect233k1
TLSv1.3  116 bits  sect233r1
TLSv1.3  119 bits  sect239k1
TLSv1.3  141 bits  sect283k1
TLSv1.3  141 bits  sect283r1
TLSv1.3  204 bits  sect409k1
TLSv1.3  204 bits  sect409r1
TLSv1.3  285 bits  sect571k1
TLSv1.3  285 bits  sect571r1
TLSv1.3  80 bits  secp160k1
TLSv1.3  80 bits  secp160r1
TLSv1.3  80 bits  secp160r2
TLSv1.3  96 bits  secp192k1
TLSv1.3  96 bits  secp192r1
TLSv1.3  112 bits  secp224k1
TLSv1.3  112 bits  secp224r1
TLSv1.3  128 bits  secp256k1
TLSv1.3  128 bits  secp256r1 (NIST P-256)
TLSv1.3  192 bits  secp384r1 (NIST P-384)
TLSv1.3  260 bits  secp521r1 (NIST P-521)
TLSv1.3  128 bits  brainpoolP256r1
TLSv1.3  192 bits  brainpoolP384r1
TLSv1.3  256 bits  brainpoolP512r1
TLSv1.3  128 bits  x25519
TLSv1.3  224 bits  x448
TLSv1.3  112 bits  ffdhe2048
TLSv1.3  128 bits  ffdhe3072
TLSv1.3  150 bits  ffdhe4096
TLSv1.3  175 bits  ffdhe6144
TLSv1.3  192 bits  ffdhe8192

  SSL Certificate:
Signature Algorithm: ecdsa-with-SHA256
ECC Curve Name:      prime256v1
ECC Key Strength:    128

Subject:  OpenWrt
Issuer:   OpenWrt

Not valid before: Oct 17 22:04:07 2021 GMT
Not valid after:  Oct 18 22:04:07 2023 GMT

Except for some weak key exchange groups, doesn’t seem anything wrong with it…

So, here’s how I fixed it… I did SSH into it as root, and did this:

opkg update
opkg install libmbedtls
service uhttpd restart

And now it works! Magic! 🤷🏻‍♀️

Note: OpenWrt seems to use WolfSSL by default instead of libmbedtls.

Anyway, I hope this fixes it for you too.