ERR_SSL_VERSION_OR_CIPHER_MISMATCH - how to get around this problem?

wimorrison · Apr 19, 2023

I have an old Netgear ReadyNAS on which trying to access the admin pages but whatever I do I get this message presented on the screen, however I can access the data by mapping a drive, and also over http, but attempts to access the admin console always change to https and display this error

This message is the same on Edge and Chrome (as expected) and I have tried the suggested solutions of enabling TLS 1.1 - 1.3 and SSL v3.0 but to no effect.

Does anyone have suggestions of another browser that will over come this issue, or another suggestion?

neemobeer · May 9, 2023

If it's really old, it probably only supports weak cipher suites.

Download and install nmap Download the Free Nmap Security Scanner for Linux/Mac/Windows
Open a command prompt or powershell and cd to the nmap binary location usually something like 'C:\Program Files (x86)\Nmap'
Run the following command nmap -p 443 --script ssl*cipher* 192.168.0.138
For security look at the highest supported SSL/TLS version (make sure that is enabled on your system)
Pick one of the higher rated ciphers (the letters at the end) and copy the name minus what is in ( )
Open an elevated powershell prompt and type Enable-TLSCipherSuite <SuiteName>

If that runs without an error you can test connecting again.

wimorrison · May 19, 2023

Thanks for the suggestion.

I have run the initial scrips as you suggest and this is the output

PS C:\Program Files (x86)\Nmap> nmap -p 443 --script ssl*cipher* 192.168.0.138
Starting Nmap 7.93 ( Nmap: the Network Mapper - Free Security Scanner ) at 2023-05-19 14:07 GMT Summer Time
NSOCK ERROR [0.0490s] ssl_init_helper(): OpenSSL legacy provider failed to load.

Nmap scan report for 192.168.0.138
Host is up (0.0029s latency).

PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - F
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - F
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - F
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - F
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - F
| compressors:
| DEFLATE
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Insecure certificate signature (SHA1), score capped at F
|_ least strength: F
MAC Address: E0:91:F5:71:E35 (Netgear)

Nmap done: 1 IP address (1 host up) scanned in 23.05 seconds

When I then run

PS C:\Program Files (x86)\Nmap> Enable-TLSCiphersuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA

I get an instant return to the command line (I have also tried the other options) and I am still unable to connect

Can you suggest that I have done wrong?

Many Thanks

neemobeer · May 19, 2023

If there was no output then it should be enabled. You can confirm with (Get-TlsCipherSuite).Name

If you use wireshark you should be able to see the TLS handshake and if your system is offering the correct cipher now, or you may need to enable TLS 1.0

wimorrison · May 19, 2023

Thanks for your suggestions. It appears to be an Edge issue because nothing I do will allow Edge to access it however I tried it on my phone (iOS 16.5) and it connected after giving me a warning about the certificate. I therefore found an old version of Safari (no longer supported on Windows

), installed it and after a warning saying it cannot verify the certificate it connects and allows me to log into the admin pages.

Strangely, MS Edge has no problems with me accessing any of the shares on the NAS, only the admin pages.

I guess I will need to use this workaround.