So, I was playing with an OpenWrt device, installed some packages (not related to TLS aka “SSL”)… I rebooted, and I couldn’t sign in to the web interface anymore…
Firefox just gave me an “SSL_ERROR_NO_CYPHER_OVERLAP”… Which should mean that the server and client don’t know any matching way to talk to each other securely…
So, I tried Safari, but that doesn’t work without modifying your system’s certificate trust settings and permanently trusting that cert… I don’t feel like doing that…
…So, I tried Chrome, no luck!
So, I tried to scan it, here’s the output:
Version: 2.0.10 OpenSSL 3.0.1 14 Dec 2021 Connected to 172.18.10.30 Testing SSL server 172.18.10.30 on port 443 using SNI name 172.18.10.30 SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 disabled TLSv1.3 enabled TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Session renegotiation not supported TLS Compression: Compression disabled Heartbleed: TLSv1.3 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve P-256 DHE 256 Accepted TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve P-256 DHE 256 Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve P-256 DHE 256 Server Key Exchange Group(s): TLSv1.3 81 bits sect163k1 TLSv1.3 81 bits sect163r1 TLSv1.3 81 bits sect163r2 TLSv1.3 96 bits sect193r1 TLSv1.3 96 bits sect193r2 TLSv1.3 116 bits sect233k1 TLSv1.3 116 bits sect233r1 TLSv1.3 119 bits sect239k1 TLSv1.3 141 bits sect283k1 TLSv1.3 141 bits sect283r1 TLSv1.3 204 bits sect409k1 TLSv1.3 204 bits sect409r1 TLSv1.3 285 bits sect571k1 TLSv1.3 285 bits sect571r1 TLSv1.3 80 bits secp160k1 TLSv1.3 80 bits secp160r1 TLSv1.3 80 bits secp160r2 TLSv1.3 96 bits secp192k1 TLSv1.3 96 bits secp192r1 TLSv1.3 112 bits secp224k1 TLSv1.3 112 bits secp224r1 TLSv1.3 128 bits secp256k1 TLSv1.3 128 bits secp256r1 (NIST P-256) TLSv1.3 192 bits secp384r1 (NIST P-384) TLSv1.3 260 bits secp521r1 (NIST P-521) TLSv1.3 128 bits brainpoolP256r1 TLSv1.3 192 bits brainpoolP384r1 TLSv1.3 256 bits brainpoolP512r1 TLSv1.3 128 bits x25519 TLSv1.3 224 bits x448 TLSv1.3 112 bits ffdhe2048 TLSv1.3 128 bits ffdhe3072 TLSv1.3 150 bits ffdhe4096 TLSv1.3 175 bits ffdhe6144 TLSv1.3 192 bits ffdhe8192 SSL Certificate: Signature Algorithm: ecdsa-with-SHA256 ECC Curve Name: prime256v1 ECC Key Strength: 128 Subject: OpenWrt Issuer: OpenWrt Not valid before: Oct 17 22:04:07 2021 GMT Not valid after: Oct 18 22:04:07 2023 GMT
Except for some weak key exchange groups, doesn’t seem anything wrong with it…
So, here’s how I fixed it… I did SSH into it as root, and did this:
opkg update opkg install libmbedtls service uhttpd restart
And now it works! Magic! 🤷🏻♀️
Note: OpenWrt seems to use WolfSSL by default instead of libmbedtls.
Anyway, I hope this fixes it for you too.
This is really helpful. I keep running into this, and then I search and I find your blog and I remember “oh yeah, that’s how you fix it!” My problem is that I’ve installed libmbedtls and restarted uhttpd and its fine. Then I reboot (from inside Luci). After I reboot, I’m back to the SSL_ERROR_NO_CYPHER_OVERLAP error. I ssh into my router, run `service uhttpd restart` and the error goes away.
Any ideas what I can do so that it comes up right on reboot every time?