Forum Discussion
After Weak cipher remediation , URL not working in chrome while IE load is fine.
Chrome not able to load URL using only TLS 1.2 with SHA256 AES256.Website works fine in IE.
Are there any setting changes needed to resolve the issue?
Hi Krishna,
just tested the cipher support of Chrome. Chrome does not support the cihper called AES256-SHA256 (ID 61). It does only support AES256-SHA (ID 53) or AES256-GCM-SHA384 (ID 157) if you require a (non-DH) RSA based AES256.
Qualys SSL Labs: SSL/TLS Capabilities of Your Browser
https://www.ssllabs.com/ssltest/viewMyClient.html
To workaround this limitation, I would recommend to change your cipher string to include
as well asAES256-GCM-SHA384
. The GCM is considered more secure than CBC, so you will more or less increase the security of those browser who support this chiper spec.AES256-SHA256
[root@f501:Active:Standalone] / tmm --clientcipher 'AES256-GCM-SHA384:AES256-SHA256:-SSLv3:-DTLSv1:-TLSv1:-TLSv1_1' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 1: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA [root@f501:Active:Standalone] /
Cheers, Kai
- youssef1Cumulonimbus
Hi,
You can take a packet capture of the ssl handshake (with ssldump) to see exactly which ciphers are being negotiated and selected.
https://support.f5.com/csp/article/K10209
Then check if you find a reference in chrome support/forum that talking about your problem.
SO first capture traffic then check with ssldump which ciphers/protocol are negotiated it will be helpfull for your to find a solution...
Regards
Hi Krishna,
please post your Client SSL Profile cipher string. Maybe we can optimize it further...
Cheers, Kai
- Krishna_388466Altostratus
Thanks. When I tried the above option in chrome://flags/ssl-version-max,I dont see any settings related to tls1.3 or ssl..
- Samir_Jha_52506Noctilucent
RC4 is disabled by chrome.
Run below in chrome browser
chrome://flags/ssl-version-max
Then change the maximum TLS version enabled from default to TLS 1.3
And select tls1.3 will work. Try n confirm.
- Krishna_388466Altostratus
err_ssl_version_or_cipher_mismatch is the error message
- Samir_Jha_52506Noctilucent
Can you please share the error message which you are seeing Google chrome? I am suspecting that chrome has removed RC4 cipher in chrome v48..
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com