Join the community today
Become a Member

SSL Cloudflare TLS 1.3 Error for some computers ERR_SSL_VERSION_INTERFERENCE

Discussion in 'Domains, DNS, Email & SSL Certificates' started by negative, Oct 27, 2018.

  1. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    8:52 AM
    1.9.10
    10.1.11
    • CentOS Version:CentOS 7 64bit
    • Centmin Mod Version Installed: Beta
    • Nginx Version Installed: 1.15.4
    • PHP Version Installed: 7.1.21
    • MariaDB MySQL Version Installed: 10.0.x
    • When was last time updated Centmin Mod code base ? : today
    • Persistent Config:
      Code (Text):
      POSTGRESQL=y
      
      PHPFINFO=y
      
      NGINX_PAGESPEED=y
      
      NGXDYNAMIC_NGXPAGESPEED=y
      
      NGINX_GEOIP=n
      
      PHPIONCUBE='n'
      
      PHPIMAGICK='y'
      
      VHOSTCTRL_CLOUDFLAREINC='y'
      
      CLOUDFLARE_ZLIB='y'
      
      CLOUDFLARE_ZLIBPHP='y'
      
      
    Nginx -V Output
    Code:
    [01:49][root@server ~]# nginx -V
    nginx version: nginx/1.15.4 (300918-024026)
    built by gcc 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC)
    built with OpenSSL 1.1.1  11 Sep 2018
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=300918-024026 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1 --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3'
    I'm using cloudflare for ssl also all other optimizations on pro plan, but yesterday my friend told me that he can't access my website. When he type my website to chrome and internet explorer (windows 7 pc) address bar, my website gives an error like "ERR_SSL_VERSION_INTERFERENCE" (Chrome Connection Reset, Standart Error Screen)

    After i explore the web, that problem looks for TLS 1.3 supported websites then i go to check my cloudflare settings and Disabled TLS 1.3 Support. And, bingo! Website accessible when i disabled it.

    So what is the problem exactly? when i look my server, it supports tls 1.3. However, i don't use ssl by centmin server, i'm using just cloudflare dedicated paid certificate and all ssl and optimizations by cloudflare as i told? Anyway, should i modify some settings on my centmin side?

    Thanks

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:52 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    end users anti-virus software needs updating as it doesn't support TLS 1.3 version negotiated with Cloudflare or Centmin Mod Nginx TLS 1.3. Or end user needs to disable anti-virus software's HTTPS/secure site scanning/inspection (MITM).

    or disable TLS 1.3 from Cloudflare or Centmin Mod Nginx
     
  3. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    8:52 AM
    1.9.10
    10.1.11
    Yeah, that computer was using the norton antivirus and i've tried (with teamviewer) to disable it and tried again but still no luck. So, disabling antivirus software doesn't work.

    I think, i must disable tls 1.3 from cloudflare for connect to everyone. :confused:
     
  4. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:52 PM
    Mainline
    10.2
    Chrome and IE specific version?
     
  5. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:52 PM
    Mainline
    10.2
    If you can share your website I can test it now with vanilla Windows 7 install (IE and Chrome).
     
  6. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    8:52 AM
    1.9.10
    10.1.11
    I didn't remind them. But both browsers can't open the website.
    I've disabled the TLS 1.3 yesterday on cloudflare so works now on all browsers.
     
  7. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:52 PM
    Mainline
    10.2
    This is big issue/situation for us with critical users.
    I'm curious what's the reason for this.
    It's even Cloudflare code failing.
     
  8. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    8:52 AM
    1.9.10
    10.1.11
    Yes, i though lost some visitors for a long time because of cloudflare tls 1.3 support.
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    4:52 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah it's unfortunate but Cloudflare or Centmin Mod Nginx's TLS 1.3 version support can't account for clients/browsers or software (anti-virus) which choose to use unsupported/outdated TLS 1.3 versions.

    It's for this reason why Cloudflare currently doesn't support TLS 1.3 communication between CF and a HTTPS enabled origin backend server as some origin web servers are using unsupported/outdated TLS 1.3 versions see Cloudflare speak TLS 1.3 0-RTT with Origin Backend?
    Note this is TLS 1.3 for CF to origin server communication and not TLS 1.3 from CF to visitor. But same principle really. Some visitor/clients don't support the right TLS 1.3 versions which right now should be TLS 1.3 rfc final, TLS 1.3 draft 23 or 28 if connecting to CF servers.
     
  10. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    2:52 PM
    Mainline
    10.2
    Can you ask him if cloudflare site itself produce an error?
    Cloudflare - The Web Performance & Security Company | Cloudflare