cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
2,245 Views
Message 1 of 7

ERR_SSL_VERSION_OR_CIPHER_MISMATCH and SSL_ERROR_NO_CYPHER_OVERLAP

Something broken with the BT provided DNS that breaks a subset of websites.  The errors are from Brave/Chrome and Firefox.  Edge doesn't play either (  Somehow I have removed Edge from this PC; am sure it'll come back with an update..).  Anyhow, the Edge infected PCs in this house also fail on a subset of websites.

The BT Smart Hub of some vintage is fibre to the box & the box is a few hundred meters away.  Uses DNS 81.139.56.100 and 57.100.  It does not allow me to configure them.

So if I

Set-DnsClientServerAddress -InterfaceIndex 3 -ServerAddress ("81.139.56.100")

Then all my browsers are often broken with a cipher mismatch.

If I use a randomly chosen different DNS

Set-DnsClientServerAddress -InterfaceIndex 3 -ServerAddress ("8.8.8.8")

My browsers stop complaining.

Odd.

 

 

 

0 Ratings
Reply
6 REPLIES 6
2,203 Views
Message 2 of 7

Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH and SSL_ERROR_NO_CYPHER_OVERLAP

Do you have BT Web Protect or Parental controls on that operation at a DNS level? You can check these on your MyBT account 

0 Ratings
Reply
2,169 Views
Message 3 of 7

Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH and SSL_ERROR_NO_CYPHER_OVERLAP

Away from the home network / device, it'll be a while till I can look, tho I doubt it has anything to do with parental control settings.  The error had the feel of some server in a farm of servers needing a DNS process restart & am sure the process in question will have been restarted when as a user I next take a look.  What a BT DNS server has to do with the cipher negotiation between an array of home devices and (say) bbc.co.uk , but not amazon , only some parts of facebook, some parts of youtube, these ski goggle websites but not those ski goggle websites to the usual bunch of windows 10/11 , Android & Apple products.   In my book .. BTs DNS involvement has happened .. TCP SYN-SYN/ACK has happened, a TLS client hello has gone from me to the BEEB,  from then on everything is encrypted, so what I am looking at on the BBC website is none of BTs business and ...  and somewhere in the selection of things that have nothing to do with BT would be the selection of ciphers and the setting of keys and the endless other whatnots that make things complicated & they are complicated because at some level encryption is meant to be complicated.

Back in the day the other side of retirement I was a network engineer of sorts & DNS would break things in the most bizzare ways.  This felt bizzare.

For some reason that made sense at the time the home network had a Pi-Hole in it,  an attempt to put some time constraints on whatever game the children were playing at the time; in the hope that they'd work out inventive ways around that parental control, they didn't, they just got older & the doing or not doing of their homework became more of their problem.   I physically removed the Pi , changed the DHCP server option on the BT brick , restarted the BT hub and ... this stupid message on a haphazard bunch of websites.  

Pi-hole is back in, I'll get round to removing it another day. 

But thanks for the ack.

0 Ratings
Reply
2,162 Views
Message 4 of 7

Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH and SSL_ERROR_NO_CYPHER_OVERLAP

Hello,

I had a very similar error to this once when trying to access a website run by the company I work for. As I was in charge of the website, it was up to me to figure out why this was happening, and I am going off of memory from a couple of years ago now, but from what I can remember, the web browser (Firefox and Google Chrome I believe) had updated and to be more secure has stopped showing websites that has TLS 1.0 TLS 1.1. I believe, as they were considered to be not secure any more. I think TLS 2.0 and 3.0 were okay. I had to then go into the web server and update the security suites that were allowed and that then solved the issue.

Obviously, this cannot be exactly the case here, especially if you are getting the error on lost of websites and you don't run them, but it might be worth checking any changes to security settings that may have been made across your network that might be basically kicking out any secure sites that don't use 'the expected' settings.

0 Ratings
Reply
2,154 Views
Message 5 of 7

Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH and SSL_ERROR_NO_CYPHER_OVERLAP

Thanks for the thought.

If I could still remember the days when I knew what I was talking about, the endless versions of TLS would have been the natural source for this error message.  There are a slew of content-free / for-advertising-revenue websites & youtubes that are ~ "upgrade your browser" & similarly useful advice. Tho we've all failed the "is it plugged in ?" test at some point in our lives.

..back to the more serious topic of buying more ski goggles.  They go in the drawer dry & come out next year with rotten foam ; repeat each year.

0 Ratings
Reply
2,018 Views
Message 6 of 7

Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH and SSL_ERROR_NO_CYPHER_OVERLAP

Was at the house again & took another look.  wtf is 81.130.111.239 ?  The BT DNS returns the same IP address for a whole bunch of websites that on the face of it have nothing to do with each other.  The device is blocked from networks outside the BT network , inside the BT network it has port 80 and port 443 open , but TLS isn't enabled on the 443 port.  I say "hello", the device closes the connection with a FIN... there are no ciphers offered so a cipher mismatch is as good an error message as any tho there could be a lot better options.  ( whoever chose to have a FIN close a server connection needs to have their ear flicked.. ).

Was taking a few wireshark & netsh trace during the afternoon ..  see these DNS, some to the BT smart thing as DNS , some direct from my windows machine to the DNS server the smart thing said it was using.

re3234@DESKTOP-VT4HFRC:/mnt/c/Users/re3234/Documents/test$ find . -name "*.pcapng" -exec tshark -r {} -Y "dns" \;  | grep \.111\.239
   85  21.197533 81.139.56.100 → 192.168.1.93 DNS 95 Standard query response 0x7c14 A static.xx.fbcdn.net A 81.130.111.239
  338  11.040988 192.168.1.254 → 192.168.1.93 DNS 95 Standard query response 0xfae9 A static.xx.fbcdn.net A 81.130.111.239
  344  11.043857 192.168.1.254 → 192.168.1.93 DNS 95 Standard query response 0xe04f A static.xx.fbcdn.net A 81.130.111.239
  363  11.292273 192.168.1.254 → 192.168.1.93 DNS 106 Standard query response 0xf8ea A scontent.fbrs4-1.fna.fbcdn.net A 81.130.111.239
  365  11.295190 192.168.1.254 → 192.168.1.93 DNS 106 Standard query response 0x7176 A scontent.fbrs4-1.fna.fbcdn.net A 81.130.111.239
  655  12.577446 192.168.1.254 → 192.168.1.93 DNS 106 Standard query response 0x7699 A scontent.fbrs4-2.fna.fbcdn.net A 81.130.111.239
  692  12.883662 192.168.1.254 → 192.168.1.93 DNS 106 Standard query response 0xf56d A scontent.fbrs4-2.fna.fbcdn.net A 81.130.111.239
 1708  41.760647 192.168.1.254 → 192.168.1.93 DNS 95 Standard query response 0x52af A static.xx.fbcdn.net A 81.130.111.239
 1757  42.989111 192.168.1.254 → 192.168.1.93 DNS 106 Standard query response 0x25cf A scontent.fbrs4-2.fna.fbcdn.net A 81.130.111.239
 1762  42.993368 192.168.1.254 → 192.168.1.93 DNS 106 Standard query response 0x48e6 A scontent.fbrs4-2.fna.fbcdn.net A 81.130.111.239
 1876  61.312819 192.168.1.254 → 192.168.1.93 DNS 91 Standard query response 0x92c4 A www.youtube.com A 81.130.111.239
 1964  72.788697 192.168.1.254 → 192.168.1.93 DNS 95 Standard query response 0x0d4c A static.xx.fbcdn.net A 81.130.111.239
 2116  88.148554 192.168.1.254 → 192.168.1.93 DNS 106 Standard query response 0x4677 A scontent.fbrs4-1.fna.fbcdn.net A 81.130.111.239
 3219 102.263443 192.168.1.254 → 192.168.1.93 DNS 95 Standard query response 0x2203 A static.xx.fbcdn.net A 81.130.111.239
 3224 102.266086 192.168.1.254 → 192.168.1.93 DNS 95 Standard query response 0xc972 A static.xx.fbcdn.net A 81.130.111.239
 3504 106.887993 192.168.1.254 → 192.168.1.93 DNS 106 Standard query response 0x2afe A scontent.fbrs4-2.fna.fbcdn.net A 81.130.111.239
 3926 126.343726 192.168.1.254 → 192.168.1.93 DNS 91 Standard query response 0x9a10 A www.youtube.com A 81.130.111.239
  539  17.101587 81.139.56.100 → 192.168.1.93 DNS 107 Standard query response 0xa7cf A www.bbc.co.uk A 81.130.111.239
  556  17.408812 81.139.56.100 → 192.168.1.93 DNS 107 Standard query response 0xbc47 A www.bbc.co.uk A 81.130.111.239
 5653  64.629587 81.139.56.100 → 192.168.1.93 DNS 113 Standard query response 0xe93d A static.xx.fbcdn.net A 81.130.111.239
 5812  65.332279 81.139.56.100 → 192.168.1.93 DNS 124 Standard query response 0xd762 A scontent.fbrs4-2.fna.fbcdn.net A 81.130.111.239
 5813  65.332280 81.139.56.100 → 192.168.1.93 DNS 124 Standard query response 0x2c20 A scontent.fbrs4-1.fna.fbcdn.net A 81.130.111.239
 6892  72.634958 81.139.56.100 → 192.168.1.93 DNS 124 Standard query response 0x696a A scontent.fbrs4-2.fna.fbcdn.net A 81.130.111.239
 6894  72.634959 81.139.56.100 → 192.168.1.93 DNS 124 Standard query response 0xa68a A scontent.fbrs4-1.fna.fbcdn.net A 81.130.111.239
 7871  77.927053 81.139.56.100 → 192.168.1.93 DNS 113 Standard query response 0x6bf5 A static.xx.fbcdn.net A 81.130.111.239
 9942  96.651413 81.139.56.100 → 192.168.1.93 DNS 110 Standard query response 0xd47e A www.adidas.co.uk A 81.130.111.239
 9946  96.664013 81.139.56.100 → 192.168.1.93 DNS 110 Standard query response 0x0957 A www.adidas.co.uk A 81.130.111.239
10314 112.026624 81.139.56.100 → 192.168.1.93 DNS 109 Standard query response 0x6937 A www.youtube.com A 81.130.111.239
10796 117.556069 81.139.56.100 → 192.168.1.93 DNS 114 Standard query response 0xb348 A accounts.youtube.com A 81.130.111.239

Youtube in a BT datacenter ... really really don't believe that.  Google have loads of datacenters of their own & if they need more they'd just build more.  Their DNS is integral to their server load-balancing.  Back in the day I was joined at the hip of a network for 450K users or so ( in a single customer network ) & at idle times I'd watch the Google DNS responses change by time of day as one of their datacenters would shift load to another.  My employer back then was an ISP, I remember counting the number of 100G links it had towards Google, there were lots of them,  Google/Youtube consumed a significant proportion of the network , only bettered by the links to Netflix,  I forget what "lots" was, but not the sort of stuff you point at a single device.

Tried to open a ticket, comical failure, bloke will turn up to look at the wires on the pole outside ( for whatever reason the DSL performance is bad on rainy days in that house, whereas DSL performance is bad on sunny days in this house; you can't win.. ). 

 

0 Ratings
Reply
1,424 Views
Message 7 of 7

Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH and SSL_ERROR_NO_CYPHER_OVERLAP

I have reported this issue around Jan 4th 2024 with exactly the same DNS servers you ( @re3234 ) mentioned (81.139.56.100 and 81.139.57.100). The responses I got from BT so called support were absolutely disgusting. 3 months of hours on the phone asking them to investigate the issue or just swap out the DNS Servers. I proved the issue just the same way you did. but they refused to investigate the issue and they maintained over and over again that they do not support DNS.... how crazy is that. on an initial call I was told that I cannot change the DNS servers I can only do that on a business account. I said I don't want to change the DNS server addresses myself, I want you to change them on the service you are providing to my address. They insisted that that cannot do that, and they said there is no one else who can help. They insisted on several occasions that there is no other team who can help.... I escalated it to their Executive team (apparently their complaints process) the person who called me back from the Exec team had no technical knowledge, and refused to allow me to reiterate the issue clearly.

They sent a Deadlock letter saying that I had asked to change the DNS server addresses on the router, and had been told they can't be changed. But I had only suggested that as the solution, my main insistence was for them to investigate the issue which they never did. eventually I lost access to 2 other sites, and on the 3rd site I called them again and someone called Mason, said he would put me through to a technical team apparently another team.... so now they have admitted that they have a more technical team to handle issues that 1st line can't handle. 

However while the engineer understood they issue much better than anyone else I had spoken to so far. The engineer was unable to do any useful diagnostics on the DNS servers. Also he said even he does not have the ability or power to change the DNS servers used by the service supplied.

He could not do any DNS lookups, and had no ability to connect to a BT service and assign the DNS servers, to replicate the fault. He only had BT specific diagnostic tools which do not interrogate the DNS servers in way to assist in investigating this fault. Even the 1st line engineers in earlier calls had said they could not see an issue with the line and were dismissive of the fault I was reporting. Clearly a line test is not going to show up DNS issues.....

I have today done some testing similar to yours and I can see that the 3 sites I have an issue with are pointing at the same IP you mentioned 81.130.111.239. This indicates some kind of issue with the DNS servers. The DNS servers are not updating or their is another issue, but certainly the DNS records for the sites should not be pointing at 81.130.111.239.... which as far I can see is an IP GEO located in Lancaster and is part of a 81.0.0.0/24 subnet which doesn't just cover the UK it also covers Europe. the range 81.130.0.0 - 81.130.111.0 is Lancaster.

Why are the DNS servers (81.139.56.100 and 81.139.57.100) pointing at this IP address for those and many other sites, and BT refuse to investigate this issue. Their other BT DNS servers do not have this issue.

This issue is posted here by you ( @re3234 ) since last November and they refuse to do anything about it, one adviser said to me, so what if you can't access those sites you have a connection don't you. I said ok so if you did online shopping on sainsburys website and you suddenly couldn't access it on the service you are paying for that you should be able to access the site on, you would be happy yes?.... she refused to answer..... absolutely disgusting. 

BT were not brilliant when I used them before, but this has put them way below 0 in my rating now. They are providing a service for which they cannot provide adequate support for.... under consumer law this entitles the customer to full or partial refund for the service and or compensation.  

@wkirkman 
@jac_95 

0 Ratings
Reply