Attempt to login to USG40, Chrome reports ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Options
LenBH
LenBH Posts: 9  Freshman Member
First Anniversary First Comment
edited April 2021 in Security
Just noticed today, after not logging into our USG40 for a while, I get an error in Chrome:

This site can’t provide a secure connection 192.168.2.1 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.

I'm guessing this is related to a bad SSL cert because Chrome no longer supports SSLv3?  We keep the USG40 and Win10 up-to-date with firmware and patches, and I guess one of the more recent updates patched a security hole.  Can anyone point me to the correct solution?  Searching the web hasn't offered anything obvious.

Thanks in advance.
Len

All Replies

  • Ian31
    Ian31 Posts: 174  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    @LenBH,
    You can use CLI to change the support protocol or TLS cipher of USG service.
    Here the recommend for highest security, 

    Router(config)# ip http secure-server strong-cipher
    Router(config)# no ip http secure-server sslv3
    Router(config)# no ip http secure-server tlsv10
    Router(config)# no ip http secure-server tlsv11
    Router(config)# write

  • LenBH
    LenBH Posts: 9  Freshman Member
    First Anniversary First Comment
    Options
    Hi, lan31.
    Thanks for the help.  All commands are accepted, but the first one responds with:
    Router(config)# ip http secure-server strong-cipher
    % This command will only activate strong cipher suites.

    After competing, and rebooting the USG40, I still can't connect.  Incidentally, I downloaded an old version of Firefox, and it connects fine, so it's definitely a recent security fix.

    Any other thoughts / suggestions?
  • LenBH
    LenBH Posts: 9  Freshman Member
    First Anniversary First Comment
    Options
    In case this is helpful, here's the secure server status info:

    Router(config)# show ip http server secure status
    active               : yes
    port                 : 443
    certificate          : default
    force redirect       : yes
    authentication client: no
    strong cipher suite  : yes
    cipher suite         : aes 3des des rc4
    ssl protocol         : tls1.2
    admin service control:
    No. Zone                 Address                          Action
    ===============================================================================
    user service control:
    No. Zone                 Address                          Action
    ===============================================================================

  • LenBH
    LenBH Posts: 9  Freshman Member
    First Anniversary First Comment
    Options
    Found part of my problem.  BitDefender antivirus must have recently added another layer of protection, and is preventing connections to secure sites with untrusted certificates.  From the day I bought the USG40, it has always presented me with warning that it was not a secure site, and I clicked 'advanced', and connected anyway.  If that's the root of the problem, is there a fix for that?
    Thanks again...
  • [Deleted User]
    [Deleted User] Posts: 118  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Options
    Dear @LenBH

    I have seen this now recently a couple of times.. This is nothing ZYXEL can do about..
    You have to go to BITDEFENDER..

    The feature that causes this is to disable as following..
     
    In bitdefender
    Go to Protection -- Online threat prevention -- settings --- web protection --- disable scan SSL

    disable SSL Scanning Bitdefender
  • LenBH
    LenBH Posts: 9  Freshman Member
    First Anniversary First Comment
    Options
    Thanks, Mark.
    That's what I found also fixed the problem.  I appreciate the confirmation.
    Cheers.

Security Highlight