ERR_SSL_VERSION_OR_CIPHER_MISMATCH

[mokitoo]

Sometimes this error is reported when i enter into some specific websites proxied by sniproxy：

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I have followed advice from #300

Set sniproxy‘s resolver to
mode ipv4_only

but still comes out the same error above.

Both my friend and i have do some tests :
We both use chrome in incognito mode to exclude some other effects （cookie and etc）, and we use different network , same vps proxy to specific website , my friend get the error above while i visit that website normally.

[mokitoo]

It's quite strange this issue got resolved after i restart sniproxy again , i still can not figure out reason

[OhmegaStar]

I think i'm able to create the issue on demand, my exchange server returns same error when going through sniproxy, when going direct the tls is good..

I can see that sniproxy is using ipv6 internally in my domain. so I'm trying to set the ipv4_only resolver mode.

Direct request:
echo | openssl s_client -host nosni.contoso.com -port 443:

...
subject=CN = nosni.contoso.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 3527 bytes and written 450 bytes
Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 3072 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
...

Through sniproxy:
echo | openssl s_client -host sni.contoso.com -port 443:

CONNECTED(00000005)
140554009338304:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 320 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

--

let me know if you need help with more data.

I'm running sniproxy from apt distro on ubuntu server 20.04
openssl from another ubuntu server on v18

Br,

Henrik

[shirakun]

Hi
Encounter the same problem.

echo | openssl s_client -host linetv.tw -port 443
CONNECTED(00000005)
140319170957760:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 311 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

But other domains proxied through sniproxy work fine
Restart sniproxy still doesn't fix the problem

In addition, I have 2 other servers
When proxying the same domain (using the exact same version and configuration file)
Only one of the servers will work

[mokitoo]

Hi Encounter the same problem.

echo | openssl s_client -host linetv.tw -port 443
CONNECTED(00000005)
140319170957760:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 311 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

But other domains proxied through sniproxy work fine Restart sniproxy still doesn't fix the problem

In addition, I have 2 other servers When proxying the same domain (using the exact same version and configuration file) Only one of the servers will work

It might be useful to try force restart（kill -9 pid & service sniproxy start） rather than restart