ERR_SSL_VERSION_OR_CIPHER_MISMATCH

[eskador 2]

I am unable to browse to Emby using SSL (HTTP works fine) and the browser (Chrome) reports ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

 

I can test the SSL certificate externally using https://www.sslshopper.com/ssl-checker.html and get all green checkmarks on the certificate

I do not see any errors in the log related to SSL, HTTPS, or 8920

 

Running Windows 7 SP1 Build 7601 x64, all Windows Updates installed

embyserver.txt

[Luke 42078]

Hi, are you able to update to a newer version of windows?

[eskador 2]

I wish, unfortunately that would be a new build (unsupported hardware).

[rbjtech 5284]

11 hours ago, eskador said:

I wish, unfortunately that would be a new build (unsupported hardware).

For Windows 11 maybe - but for Windows 10 - I don't believe there are any hardware restrictions ?

Windows 10 fully supports modern TLS - Windows 7 has some issues as you've discovered.

[AL_25 2]

Hello,

I have probably the same issue on my side (error message is a bit different but related to TLS )
I made a network capture and saw that my browser request TLS 1.2  for the ssl connection and that emby respond it can't handle it

Any possibility to configure TLS version on emby side  ? Recent browser seems now disallow any possibilities to fallback to a version before TLS 1.2

@eskador, as your instance seems to be accessible from internet, you can test what are the TLS version/ciphers supported by your instance if you use sslabs from qualys (sslhopper only check the certificate, not the TLS configuration) :

https://www.ssllabs.com/ssltest/

(Dont forget to check the "Do not show the results on the boards" if you doesn't want to have your instance displayed in the history )

The "Configuration" section in the result page will give you all the needed infos about TLS and ciphers supported by your instance

Kr,

[rbjtech 5284]

imo - Emby should continue to use the latest TLS 1.3 and drop to 1.2 as a minimum.   This is now the industry standard for TLS connections.

If you want to use 'at risk' TLS 1.0 or 1.1 or old outdated ciphers etc - then you can achieve this by using a reverse proxy and configuring it how you see fit.

Edited December 21, 2022 by rbjtech

[AL_25 2]

@rbjtech not sure to understand if your reply is for me or not, but i agree, emby should be able to support modern protocol !

What i see currently is that emby refuse using TLS1.3 or TLS1.2.

i perform  some further tests using openssl and saw that TLS1.1 et TLS 1.0 is refused too...which seems to be curious as it works before.
Some issue with the latest version perhaps ? i made  the update recently on my side

 

Edited December 21, 2022 by AL_25

[rbjtech 5284]

11 minutes ago, AL_25 said:

@rbjtech not sure to understand if your reply is for me or not, but i agree, emby should be able to support modern protocol !

What i see currently is that emby refuse using TLS1.3 or TLS1.2.

i perform  some further tests using openssl and saw that TLS1.1 et TLS 1.0 is refused too...which seems to be curious as it works before.
Some issue with the latest version perhaps ? i made  the update recently on my side

 

TLS 1.3 and 1.2 are fine - I use them without any issues ?

[eskador 2]

I had to change Emby to use port 443 for HTTPS...

 

But here are the results:

TLS 1.3 - No

TLS 1.2 - No

TLS 1.1 - No

TLS 1.0 - Yes

SSL 3 - Yes

SSL 2 - Yes

 

 

I don't think modern browsers will even allow TLS 1.0 or lower (Chrome will only use TLS 1.1 or higher)

 

[Happy2Play 9780]

@eskador You would have to do some googling to get TLS 1.2 working on widows 7.  And disabling SSL 2.3 and TLS 1.0.  But all of this really has nothing to do with Emby.  As I can make Windows 11 respond that same way with tools to change the registry keys.  But eventually Windows 7 will not work on the internet. 

Will see if I still have a Window 7 vm.

@AL_25 from my Windows 10 server

 

[Happy2Play 9780]

Windows 7 tweaking with IISCrypto.  But yes before changing the registry keys I got same error as @eskador

Was able to connect after changes.  But in the end will be very limited to weak/obsolete ciphers.  But can be done.

Note this has absolutely nothing to do with Emby though.

[eskador 2]

Well that was easy enough - I dug through a ton of Registry settings and rebooting.... 

I ended up downloading IISCrypto and hitting the best practices button and selecting the reboot checkbox then apply - PC rebotted and SSL is working now.

 

Mark as resolved - IISCrypto is the easy button

[Happy2Play 9780]

Additional info but will be very limited to Weak/Obsolete cyphers on Windows 7.  Had to reenable some things to get test to work.

[AL_25 2]

@Happy2Play

Thanks for the reply,

I finally solved my problem, the certificate was missing so TLS was not configured which explain the TLS mismatch as emby is listenning on the port even so

[Happy2Play 9780]

Also as mentioned in other topics when providers lockdown their servers more provider plugins will fail.  But currently should work.

Edited December 21, 2022 by Happy2Play

[camilia25 0]

The error ERR_SSL_VERSION_OR_CIPHER_MISMATCH appears due to a lack of “common SSL protocol version or cipher suite support” between a web server and a user’s browser. This issue happens during the TLS handshake process. I was also facing such an error on Chrome, and it happens due to the following reasons such as:- 

1) Outdated browsers or operating systems.

2) Use of old TLS versions, significantly older than TLS 1.2.

3) Web servers employ the outdated RC4 cipher suite.

4) Corrupted SSL state within the browser.

5) Antivirus software interfering with SSL protocols

 There are different ways to fix the error in detail, and I was able to solve the error by following the reference article from:- https://certera.com/kb/how-to-fix-the-err_ssl_version_or_cipher_mismatch-error/. I think you can also check it out once.

I hope it helps!

[jessicafoster 0]

ERR_SSL_VERSION_OR_CIPHER_MISMATCH error typically occurs when a browser cannot establish a secure connection with the website due to outdated or unsupported SSL protocols or cipher suites. This often happens if the server is using deprecated technologies like SSL 3.0 or early versions of TLS, or if the SSL certificate is misconfigured or incompatible.

How to fix it:

• Update your SSL/TLS protocol
• Ensure your SSL certificate is valid
• Disable weak ciphers 
• Run an SSL test
• Check your CDN or proxy settings 

For a detailed, step-by-step guide on diagnosing and resolving this error, you can refer to this helpful article - https://www.ssl2buy.com/wiki/how-to-fix-err_ssl_version_or_cipher_mismatch-error

[jen2000d 0]

Since your SSL cert checks out fine externally, the issue might be with TLS support on Windows 7. Chrome may block older TLS versions. Try enabling TLS 1.2 in Windows settings or update Schannel protocols. Also, consider using a reverse proxy like Nginx to modernize SSL handling on older systems.

More Help - https://cheapsslweb.com/resources/how-to-fix-err_ssl_version_or_cipher_mismatch-error