Attempt to login to USG40, Chrome reports ERR_SSL_VERSION_OR_CIPHER_MISMATCH

LenBH

Just noticed today, after not logging into our USG40 for a while, I get an error in Chrome:

This site can’t provide a secure connection 192.168.2.1 uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol

The client and server don't support a common SSL protocol version or cipher suite.

I'm guessing this is related to a bad SSL cert because Chrome no longer supports SSLv3?  We keep the USG40 and Win10 up-to-date with firmware and patches, and I guess one of the more recent updates patched a security hole.  Can anyone point me to the correct solution?  Searching the web hasn't offered anything obvious.

Thanks in advance.
Len

Ian31

@LenBH,
You can use CLI to change the support protocol or TLS cipher of USG service.
Here the recommend for highest security, 

Router(config)# ip http secure-server strong-cipher

Router(config)# no ip http secure-server sslv3

Router(config)# no ip http secure-server tlsv10

Router(config)# no ip http secure-server tlsv11
Router(config)# write

LenBH

Hi, lan31.
Thanks for the help.  All commands are accepted, but the first one responds with:
Router(config)# ip http secure-server strong-cipher
% This command will only activate strong cipher suites.

After competing, and rebooting the USG40, I still can't connect.  Incidentally, I downloaded an old version of Firefox, and it connects fine, so it's definitely a recent security fix.

Any other thoughts / suggestions?

LenBH

In case this is helpful, here's the secure server status info:

Router(config)# show ip http server secure status

active               : yes

port                 : 443

certificate          : default

force redirect       : yes

authentication client: no

strong cipher suite  : yes

cipher suite         : aes 3des des rc4

ssl protocol         : tls1.2

admin service control:

No. Zone                 Address                          Action

===============================================================================

user service control:

No. Zone                 Address                          Action

===============================================================================

LenBH

Found part of my problem.  BitDefender antivirus must have recently added another layer of protection, and is preventing connections to secure sites with untrusted certificates.  From the day I bought the USG40, it has always presented me with warning that it was not a secure site, and I clicked 'advanced', and connected anyway.  If that's the root of the problem, is there a fix for that?
Thanks again...

[Deleted User]

Dear @LenBH

I have seen this now recently a couple of times.. This is nothing ZYXEL can do about..
You have to go to BITDEFENDER..

The feature that causes this is to disable as following..
 
In bitdefender
Go to Protection -- Online threat prevention -- settings --- web protection --- disable scan SSL

LenBH

Thanks, Mark.
That's what I found also fixed the problem.  I appreciate the confirmation.
Cheers.

matrix07

Mark said:

Dear @LenBH

I have seen this now recently a couple of times.. This is nothing ZYXEL can do about..
You have to go to BITDEFENDER..

The feature that causes this is to disable as following..
 
In bitdefender
Go to Protection -- Online threat prevention -- settings --- web protection --- disable scan SSL

The same happens in a computer with Bitdefender 2019. the web protection configuration needs to be adjusted. If not, you will be unable to access the GUI from the Zyxel NGF