sfw/fix
SSL_ERROR_NO_CYPHER_OVERLAP high

SSL_ERROR_NO_CYPHER_OVERLAP in Firefox

Firefox and the server share no cipher suite both will use, so the TLS handshake dies before any data moves.

What you see

Secure Connection Failed

An error occurred during a connection to example.com. Cannot communicate securely with peer: no common encryption algorithm(s).

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

What’s actually happening

During the handshake Firefox sends its list of acceptable cipher suites; the server has none of them on its list. With nothing in common, the connection can't be negotiated and Firefox stops, often with no "Advanced" override to click. The usual trigger is a server that's years out of date — it still offers RC4, 3DES, or export-grade ciphers that modern Firefox removed, or it only speaks TLS 1.0/1.1, which Firefox 78+ disabled. Some appliance admin panels (old iLO/iDRAC, printers, NAS boxes) are the classic offenders.

Common causes

  • The server only offers ciphers Firefox no longer supports. RC4 was removed outright in Firefox 50; 3DES and export-grade suites are effectively gone too.
  • The server is capped at TLS 1.0/1.1, which Firefox 78 disabled by default — if no TLS 1.2+ suite is offered, there's no overlap.
  • An old SSL config with a hand-written, mostly-disabled `ssl_ciphers` / `SSLCipherSuite` list that no longer intersects a modern client.
  • An embedded device or legacy appliance (router, printer, BMC, NAS web UI) shipped with a frozen, ancient TLS stack.
  • A misconfigured server that requires a client certificate or an exotic suite the browser won't present.

How to fix it

  1. See exactly what the server offersRun `nmap --script ssl-enum-ciphers -p 443 example.com` (or test it on SSL Labs). You'll get the full list of protocols and ciphers the server accepts. If everything is TLS 1.0/1.1 or the only ciphers are RC4/3DES, you've found it.
  2. Enable TLS 1.2/1.3 and a modern cipher listPull a config from Mozilla's SSL Configuration Generator (the "Intermediate" profile). For Nginx that's `ssl_protocols TLSv1.2 TLSv1.3;` plus an ECDHE-based `ssl_ciphers` line; Apache uses `SSLProtocol` / `SSLCipherSuite`. Reload and re-scan to confirm TLS 1.2+ now shows up.
  3. Confirm the diagnosis without weakening the browserYou can temporarily flip `security.tls.version.min` to 1 in about:config to prove the server is stuck on old TLS — the page will load. Set it straight back to 3 (TLS 1.2). That's a test, not a fix; the server is what needs upgrading.
  4. Update or front the legacy applianceIf it's a device with a frozen TLS stack and no firmware update, put a modern reverse proxy (Nginx/Caddy) in front to terminate TLS, or access it over an isolated management network instead of exposing it to current browsers.

Stop it recurring

Track your TLS config against Mozilla's recommended profiles and re-scan with SSL Labs after server upgrades, so a removed cipher or dropped protocol gets caught before users do.

Related errors

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

high

The TLS handshake dies because client and server share no protocol version or cipher suite in common.

SSL_ERROR_RX_RECORD_TOO_LONG in Firefox

high

Firefox tried to start TLS on port 443 but got back plain HTTP or junk, so it aborts before any page loads.

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

high

The certificate is signed with SHA-1, a hash browsers stopped trusting, so Chrome blocks the page outright.

SSL Certificate Expired

critical

An expired SSL certificate triggers a full-page "Your connection is not private" warning that blocks every visitor.