Message: This site can’t provide a secure connection

Found a problem with the website or forum? Submit a new ticket here. Also, track progress of existing issues currently being fixed.
Post Reply
IceG
Posts: 681
Joined: 06 Oct 2011, 17:24
Location: London (the one in England)

Message: This site can’t provide a secure connection

Post by IceG »

I am getting the messages

This site can’t provide a secure connection

http://www.gprejects.com uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

when accessing the site using Google Chrome under Windows XP.

Trying IE on the same machine just refuses any connection.
User avatar
DemocalypseNow
Posts: 13185
Joined: 17 Aug 2009, 09:30
Location: Lost, send help
Contact:

Re: Message: This site can’t provide a secure connection

Post by DemocalypseNow »

IceG wrote:I am getting the messages

This site can’t provide a secure connection

http://www.gprejects.com uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

when accessing the site using Google Chrome under Windows XP.

Trying IE on the same machine just refuses any connection.

Are you using Windows XP SP2 or lower? Our SSL certificates use SHA-2 cryptography, but XP SP2 and lower only supports SHA-1, which is no longer considered secure and has been deprecated at a hugely accelerated rate in the past few years. If you care about that sort of thing, the reasons for it being so insecure are quite interesting, but I'll assume you don't care and get to the point.

We have an A+ rating for SSL security from Qualys. This is because of the restriction on accepted ciphers with our SSL/TLS connections (hence ERR_SSL_VERSION_OR_CIPHER_MISMATCH). Windows XP SP3 supports our SSL authentication. Earlier versions only accept SHA-1, which Microsoft officially does not support in any way shape or form.

Modifying those restrictions already in place to accommodate systems which do not support SHA-2 weakens security for everyone else. StatCounter numbers from Dec 2016 show only 2.24% of web visitors still use XP, and while I don't have stats for percentages for SP versions, it is widely accepted the vast majority of these XP systems are on SP3. Therefore I have no plans to modify settings at our end to accommodate these machines, especially as their use will be on a permanent downward trajectory.

In terms of fixing it at your end, I would recommend not touching XP with a 10 foot pole. It hasn't been supported in some time, and is a bit like securing your house with nothing but a Yale lock that has been stuck in the latch position for 3 years. Failing that (upgrading an entire OS is a pain), get the system upgraded to SP3 just to get the site to work. If it's a work computer, tell your IT department they should all be fired for being the most incompetent monkeymen on earth. I know the feeling - my dayjob still has machines running XP, despite working in a data-critical industry. For them it's just cheapness - they still have CRT monitors in active use. It's an embarrassment.


Of course, everything I've written is redundant if you're running SP3. Then I'm clueless as to what is wrong.
Novitopoli wrote:Everytime someone orders at Pizza Hut, an Italian dies.
Novitopoli wrote:Juve's Triplete: Calciopoli, doping & Mafia connections.

Image Image
IceG
Posts: 681
Joined: 06 Oct 2011, 17:24
Location: London (the one in England)

Re: Message: This site can’t provide a secure connection

Post by IceG »

Thanks for your explanation and for your ongoing support efforts.

I am running on SP3 so hmmmm.

Clicking on More details gave me the response:

"The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure."

It is an old domestic laptop that is just used because it still works - there is nothing vital on it so we don't worry about the lack of support and security updates. As you say, many business systems are still running XP; in my industry for very good reasons as the cost of porting and testing is so high - hence MS still actually do support XP in certain, ahem, "special" business sectors.

I raised the ticket in case it was indicative of something your end and in case others were getting the same message. You seem pretty confident there is no issue so no biggy.
User avatar
DemocalypseNow
Posts: 13185
Joined: 17 Aug 2009, 09:30
Location: Lost, send help
Contact:

Re: Message: This site can’t provide a secure connection

Post by DemocalypseNow »

IceG wrote:Thanks for your explanation and for your ongoing support efforts.

I am running on SP3 so hmmmm.

Clicking on More details gave me the response:

"The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure."

It is an old domestic laptop that is just used because it still works - there is nothing vital on it so we don't worry about the lack of support and security updates. As you say, many business systems are still running XP; in my industry for very good reasons as the cost of porting and testing is so high - hence MS still actually do support XP in certain, ahem, "special" business sectors.

I raised the ticket in case it was indicative of something your end and in case others were getting the same message. You seem pretty confident there is no issue so no biggy.

I appreciate it though - shows that my SSL cipher settings could do with a little more refinement.
Novitopoli wrote:Everytime someone orders at Pizza Hut, an Italian dies.
Novitopoli wrote:Juve's Triplete: Calciopoli, doping & Mafia connections.

Image Image
User avatar
dr-baker
Posts: 15429
Joined: 29 Mar 2009, 17:30
Location: Here and there.

Re: Message: This site can’t provide a secure connection

Post by dr-baker »

Well, I'm glad it wasn't me having that problem - this conversation went straight over my head!
watka wrote:I find it amusing that whilst you're one of the more openly Christian guys here, you are still first and foremost associated with an eye for the ladies!
dinizintheoven wrote:GOOD CHRISTIANS do not go to jail. EVERYONE ON FORMULA ONE REJECTS should be in jail.
MCard LOLA
User avatar
DemocalypseNow
Posts: 13185
Joined: 17 Aug 2009, 09:30
Location: Lost, send help
Contact:

Re: Message: This site can’t provide a secure connection

Post by DemocalypseNow »

Having looked at the issue further, I have found more precise reasons for the issue in question. Long story short, not a single single available cipher suite supported by XP reaches the minimum standard for secure browsing. All have since been rendered obsolete by various attacks. The minimum required level is AES, which even at Service Package 3, XP does not support.

I learned a bit more about encryption trying to resolve this 'bug' though - quite interesting stuff.
Novitopoli wrote:Everytime someone orders at Pizza Hut, an Italian dies.
Novitopoli wrote:Juve's Triplete: Calciopoli, doping & Mafia connections.

Image Image
IceG
Posts: 681
Joined: 06 Oct 2011, 17:24
Location: London (the one in England)

Re: Message: This site can’t provide a secure connection

Post by IceG »

Asking for academic interest as this is a non-critical issue.

What are you trying to achieve using this level of security/protection? This is the only site/forum that I cannot access from the obsolete machine in question; I can access many secure payments systems and my online financial services provider (obviously I avoid doing so given the poor state of the machines security) which presumably have significantly more critical security needs than an F1 forum?

If I am being dumb, please tell me.
User avatar
DemocalypseNow
Posts: 13185
Joined: 17 Aug 2009, 09:30
Location: Lost, send help
Contact:

Re: Message: This site can’t provide a secure connection

Post by DemocalypseNow »

IceG wrote:Asking for academic interest as this is a non-critical issue.

What are you trying to achieve using this level of security/protection? This is the only site/forum that I cannot access from the obsolete machine in question; I can access many secure payments systems and my online financial services provider (obviously I avoid doing so given the poor state of the machines security) which presumably have significantly more critical security needs than an F1 forum?

If I am being dumb, please tell me.

This is down to me being dumb, not the other way around! From a user perspective you are right, this does not make any sense, and is exceedingly dumb. As I mentioned, my SSL config is clearly not up to scratch - to compensate for lack of knowledge, I went too aggressive rather than too soft with the configuration.

I've made some amendments now that I hope make a difference. Just to satisfy my curiosity, would you also mind giving FormulaRejects a visit for me? It uses a slightly different config from GPR as the two sites have certificates from different Certificate Authorities.
Novitopoli wrote:Everytime someone orders at Pizza Hut, an Italian dies.
Novitopoli wrote:Juve's Triplete: Calciopoli, doping & Mafia connections.

Image Image
IceG
Posts: 681
Joined: 06 Oct 2011, 17:24
Location: London (the one in England)

Re: Message: This site can’t provide a secure connection

Post by IceG »

I can see FormulaRejects as long as I don't specify https:// and drop the www

Still getting refused at GPrejects
User avatar
DemocalypseNow
Posts: 13185
Joined: 17 Aug 2009, 09:30
Location: Lost, send help
Contact:

Re: Message: This site can’t provide a secure connection

Post by DemocalypseNow »

IceG wrote:I can see FormulaRejects as long as I don't specify https:// and drop the www

Still getting refused at GPrejects

That's actually rather odd - I deliberately went for a config that should have allowed legacy systems. I wonder what it is, if it's not the cipher suites....
Novitopoli wrote:Everytime someone orders at Pizza Hut, an Italian dies.
Novitopoli wrote:Juve's Triplete: Calciopoli, doping & Mafia connections.

Image Image
IceG
Posts: 681
Joined: 06 Oct 2011, 17:24
Location: London (the one in England)

Re: Message: This site can’t provide a secure connection

Post by IceG »

I've tried a few more times, still no joy.

Are you making changes or shall we leave it there?
User avatar
DemocalypseNow
Posts: 13185
Joined: 17 Aug 2009, 09:30
Location: Lost, send help
Contact:

Re: Message: This site can’t provide a secure connection

Post by DemocalypseNow »

IceG wrote:I've tried a few more times, still no joy.

Are you making changes or shall we leave it there?

I would leave it there for now. I can't seem to find an acceptable configuration that will allow it to work, despite enabling connection over TLS 1.0, which isn't ideal but should still have worked with XP machines. I'm at a loss to understand how to fix it without simply switching SSL off entirely.
Novitopoli wrote:Everytime someone orders at Pizza Hut, an Italian dies.
Novitopoli wrote:Juve's Triplete: Calciopoli, doping & Mafia connections.

Image Image
Post Reply