Want to subscribe to topics you're interested in?
Become a Member

SSL Cloudflare TLS 1.3 Error for some computers ERR_SSL_VERSION_INTERFERENCE

Discussion in 'Domains, DNS, Email & SSL Certificates' started by negative, Oct 27, 2018.

  1. negative

    negative Active Member

    260
    26
    28
    Apr 11, 2015
    Ratings:
    +59
    Local Time:
    2:37 PM
    1.9.10
    10.1.11
    • CentOS Version:CentOS 7 64bit
    • Centmin Mod Version Installed: Beta
    • Nginx Version Installed: 1.15.4
    • PHP Version Installed: 7.1.21
    • MariaDB MySQL Version Installed: 10.0.x
    • When was last time updated Centmin Mod code base ? : today
    • Persistent Config:
      Code (Text):
      POSTGRESQL=y
      
      PHPFINFO=y
      
      NGINX_PAGESPEED=y
      
      NGXDYNAMIC_NGXPAGESPEED=y
      
      NGINX_GEOIP=n
      
      PHPIONCUBE='n'
      
      PHPIMAGICK='y'
      
      VHOSTCTRL_CLOUDFLAREINC='y'
      
      CLOUDFLARE_ZLIB='y'
      
      CLOUDFLARE_ZLIBPHP='y'
      
      
    Nginx -V Output
    Code:
    [01:49][[email protected] ~]# nginx -V
    nginx version: nginx/1.15.4 (300918-024026)
    built by gcc 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC)
    built with OpenSSL 1.1.1  11 Sep 2018
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=300918-024026 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1 --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3'
    I'm using cloudflare for ssl also all other optimizations on pro plan, but yesterday my friend told me that he can't access my website. When he type my website to chrome and internet explorer (windows 7 pc) address bar, my website gives an error like "ERR_SSL_VERSION_INTERFERENCE" (Chrome Connection Reset, Standart Error Screen)

    After i explore the web, that problem looks for TLS 1.3 supported websites then i go to check my cloudflare settings and Disabled TLS 1.3 Support. And, bingo! Website accessible when i disabled it.

    So what is the problem exactly? when i look my server, it supports tls 1.3. However, i don't use ssl by centmin server, i'm using just cloudflare dedicated paid certificate and all ssl and optimizations by cloudflare as i told? Anyway, should i modify some settings on my centmin side?

    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:37 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    end users anti-virus software needs updating as it doesn't support TLS 1.3 version negotiated with Cloudflare or Centmin Mod Nginx TLS 1.3. Or end user needs to disable anti-virus software's HTTPS/secure site scanning/inspection (MITM).

    or disable TLS 1.3 from Cloudflare or Centmin Mod Nginx
     
  3. negative

    negative Active Member

    260
    26
    28
    Apr 11, 2015
    Ratings:
    +59
    Local Time:
    2:37 PM
    1.9.10
    10.1.11
    Yeah, that computer was using the norton antivirus and i've tried (with teamviewer) to disable it and tried again but still no luck. So, disabling antivirus software doesn't work.

    I think, i must disable tls 1.3 from cloudflare for connect to everyone. :confused:
     
  4. rdan

    rdan Premium Member Premium Member

    4,369
    1,053
    113
    May 25, 2014
    Ratings:
    +1,524
    Local Time:
    8:37 PM
    Mainline
    10.2
    Chrome and IE specific version?
     
  5. rdan

    rdan Premium Member Premium Member

    4,369
    1,053
    113
    May 25, 2014
    Ratings:
    +1,524
    Local Time:
    8:37 PM
    Mainline
    10.2
    If you can share your website I can test it now with vanilla Windows 7 install (IE and Chrome).
     
    • Like Like x 1
  6. negative

    negative Active Member

    260
    26
    28
    Apr 11, 2015
    Ratings:
    +59
    Local Time:
    2:37 PM
    1.9.10
    10.1.11
    I didn't remind them. But both browsers can't open the website.
    I've disabled the TLS 1.3 yesterday on cloudflare so works now on all browsers.
     
  7. rdan

    rdan Premium Member Premium Member

    4,369
    1,053
    113
    May 25, 2014
    Ratings:
    +1,524
    Local Time:
    8:37 PM
    Mainline
    10.2
    This is big issue/situation for us with critical users.
    I'm curious what's the reason for this.
    It's even Cloudflare code failing.
     
  8. negative

    negative Active Member

    260
    26
    28
    Apr 11, 2015
    Ratings:
    +59
    Local Time:
    2:37 PM
    1.9.10
    10.1.11
    Yes, i though lost some visitors for a long time because of cloudflare tls 1.3 support.
     
    • Agree Agree x 1
  9. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:37 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah it's unfortunate but Cloudflare or Centmin Mod Nginx's TLS 1.3 version support can't account for clients/browsers or software (anti-virus) which choose to use unsupported/outdated TLS 1.3 versions.

    It's for this reason why Cloudflare currently doesn't support TLS 1.3 communication between CF and a HTTPS enabled origin backend server as some origin web servers are using unsupported/outdated TLS 1.3 versions see Cloudflare speak TLS 1.3 0-RTT with Origin Backend?
    Note this is TLS 1.3 for CF to origin server communication and not TLS 1.3 from CF to visitor. But same principle really. Some visitor/clients don't support the right TLS 1.3 versions which right now should be TLS 1.3 rfc final, TLS 1.3 draft 23 or 28 if connecting to CF servers.
     
  10. rdan

    rdan Premium Member Premium Member

    4,369
    1,053
    113
    May 25, 2014
    Ratings:
    +1,524
    Local Time:
    8:37 PM
    Mainline
    10.2
    Can you ask him if cloudflare site itself produce an error?
    Cloudflare - The Web Performance & Security Company | Cloudflare
     
..