VMware {code} Community
bhrami
Contributor
Contributor

Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH on Chrome Browser

Hi there,

I am running into the POODLE Chrome issue when accessing my https://localhost:9443/vsphere-client

My Virgo server is up and running. But when I try to launch on Chrome, I get this error:

A secure connection cannot be established because this site uses an unsupported protocol.

Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Can you please suggest a resolution to this issue.

Thanks,

Aparna

17 Replies
laurentsd
VMware Employee
VMware Employee

Please always add version information to your questions, I cannot guess what you are using (Web Client, Chrome, etc.)...

Also err_ssl_version_or_cipher_mismatch doesn't mean it's the poodle problem.

Reply
0 Kudos
bhrami
Contributor
Contributor

vCenter Server -  is on version 5.5 - 2d.

Development SDK and serinity-client  - on my local system is also on 5.5.2 - build number 2026576.

Chrome browser version -  is 41.

Thanks!

Reply
0 Kudos
laurentsd
VMware Employee
VMware Employee

We have seen this error with the latest Chrome version with SDK 5.5.x, it must be a side effect of some internal change they made.  It only happens for localhost, i.e. a dev setup.

The work-arounds I know of are:

- Use an older Chrome version just for your local plugin development.

- Use Firefox

- Use SDK 6.0 where this problem doesn't exist.

We don't have a solution for the latest Chrome and SDK 5.5.x but if someone has found one please share it here.

I assume it has to do with an invalid certificate.

Reply
0 Kudos
bhrami
Contributor
Contributor

Thanks will try them out.

Quick question on SDK 6.0 - which vcenters will this be compatible with? Do we have to upgrade and install everything to 6.0. I am not clear on that, can you please explain.

Thanks!

Reply
0 Kudos
laurentsd
VMware Employee
VMware Employee

As always the Web Client and its SDK is compatible with the current release and the previous one, so SDK 6.0 is compatible with vCenter 6.0 and 5.5.

To use Web Client 6.0 you don't need to install or upgrade to vCenter 6.0 but you need the new 6.0 service controller.

See this doc "Mixed-Version Transitional Environments in vCenter Server for Windows Upgrades": vSphere 6.0 Documentation Center

Reply
0 Kudos
bhrami
Contributor
Contributor

Will you be providing a patch for 5.5 SDK to work with Chrome? We are committed to release our product for 5.5 SDK only, and this would be a blocker. Please let us know the plan on fixing this issue.

Thanks.

Reply
0 Kudos
laurentsd
VMware Employee
VMware Employee

You didn't read my reply correctly.  This is only a problem with localhost, i.e. on developer machines.  So there is no patch to provide for regular users.

Reply
0 Kudos
bhrami
Contributor
Contributor

Perfect - that is a relief. It won't be a production issue.

But please do let us know for development set up as well. We will need to develop and test against Chrome.

Thanks!

Reply
0 Kudos
laurentsd
VMware Employee
VMware Employee

You can still develop and test against Chrome version 40 locally.  You can test against Chrome 41+ if you deploy your plugin on separate machine, i.e. don't use localhost.

Reply
0 Kudos
bhrami
Contributor
Contributor

Chrome does an automatic upgrade and I didn't find any easy way to downgrade or ask chrome to use an older version.

Still that doesn't solve the problem unless vmware comes up with a patch.

Reply
0 Kudos
laurentsd
VMware Employee
VMware Employee

Don't expect a patch from us, nobody is looking actively at this issue.  It is a minor problem for plugin developers on Mac since there are easy work-arounds as I explained.

Reply
0 Kudos
bhrami
Contributor
Contributor

Ok.. But I am windows not mac. FYI.

Reply
0 Kudos
bhrami
Contributor
Contributor

Laurent, I see this error in fire fox too.

Secure Connection Failed

An error occurred during a connection to localhost:9443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

    Please contact the website owners to inform them of this problem.

Please.... Chrome and Firefox don't work!!!! I need help. How can we develop! I have a release, and my development is completely halted!

It is just not localhost, I can't even use the system's ip to go. Please WE NEED A PATCH!

Reply
0 Kudos
laurentsd
VMware Employee
VMware Employee

You need to go back to an older version of Firefox or Chrome for localhost development.  There is no known problem with 5.5 and regular Web Client setups (i.e. non localhost)

Reply
0 Kudos
gammy69er
Contributor
Contributor

The Answer is Here

http://community.spiceworks.com/topic/762701-error-code-err_ssl_version_or_cipher_mismatch

(Have Put Link to give Credit where credit is due)

*POST FROM SPICEWORKS*

acasurfacamaster Feb 11, 2015 at 9:52 AM

1ST POST

For Chrome v40: Open chrome://flags Look for "Minimum SSL/TLS version supported." Choose SSLv3 Click on "Relaunch now" button Open your https page again You will be redirected to a "Your connection is not private" page. If you do not worry about this security issue click on the "Advanced" link. Finally click on "Proceed to (unsafe)". Solved.

I am Using Chrome v42, and this still works

The Google is not strong in you - this took me 3 mins to find the answer - and then another 15 mins to do the right thing and register and post here - as it seemed you guys were getting nowhere.

Good Luck and Enjoy

Reply
0 Kudos
virat1234
Enthusiast
Enthusiast

I was facing the same issue. I created a new keystore file for tomcat(virgo) and that fixed the issue.

Reply
0 Kudos
vesuvius_prime
VMware Employee
VMware Employee

This is the correct way to do it. The certificate must be replaced because DSA certificates are no longer supported.


Please, don't use the workarounds further above (e.g. tampering with the "Minimum SSL/TLS version supported" flag in Chrome) because they don't really solve the problem and they will stop working in the future when such workarounds get disabled in the browsers.


So, to create a Virgo server certificate similar to the original one, but using an RSA algorithm, do this:


keytool -genkey -alias s2dmk -dname "CN=SpringSource dm Kernel, OU=dm Server Team, O=SpringSource" -keyalg RSA -keystore keystore -keypass changeit -storepass changeit


Then replace file [VIRGO_ROOT]/configuration/keystore with the file you generated above. If you wish, you may back up the original 'keystore' file before overwriting it with the new one.


If necessary, you can also modify the HTTPS connector in file [VIRGO_ROOT]/configuration/tomcat-server.xml. Replace attribute:


sslProtocol="TLS"


with


sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"


Also, replace the 'ciphers' attribute with:


ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA"