I have tried with SSL 3.0, TLS 1.0, and TLS 1.1 enabled AND the specific ciphersuites, but the result is the same ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
I enabled SSL 3.0, TLS 1.0, TLS 1.1:
undo ssl version ssl3.0 disable
undo ssl version tls1.0 disable
undo ssl version tls1.1 disable
undo ip https enable
ip https enable
Without setting a specific ciphersuite.
Testing with nmap v7.70 from a CentOS 8 host with command:
nmap -sV --script ssl-enum-ciphers -p 443 switch2.domain.local
Shows a very limited cipher set:
|_http-server-header: HTTPD
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
| Ciphersuite uses MD5 for message integrity
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
|_ least strength: C
Same with sslyze (https://github.com/nabla-c0d3/sslyze) 4.1.0 from a Windows Server 2019 server:
SCAN RESULTS FOR SWITCH2.DOMAIN.LOCAL:443 - 10.10.10.10
-------------------------------------------------------------
* Deflate Compression:
OK - Compression disabled
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* TLS 1.2 Cipher Suites:
Attempted to connect using 156 cipher suites.
The server accepted the following 5 cipher suites:
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA 168
The group of cipher suites supported by the server has the following properties:
Forward Secrecy INSECURE - Not Supported
Legacy RC4 Algorithm INSECURE - Supported
* ROBOT Attack:
OK - Not vulnerable.
* Session Renegotiation:
Client Renegotiation DoS Attack: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
* TLS 1.2 Session Resumption Support:
With Session IDs: NOT SUPPORTED (0 successful resumptions out of 5 attempts).
With TLS Tickets: OK - Supported.
* SSL 3.0 Cipher Suites:
Attempted to connect using 80 cipher suites.
The server accepted the following 5 cipher suites:
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA 168
The group of cipher suites supported by the server has the following properties:
Forward Secrecy INSECURE - Not Supported
Legacy RC4 Algorithm INSECURE - Supported
* Certificates Information:
Hostname sent for SNI: switch2.domain.local
Number of certificates detected: 1
Certificate #0 ( _RSAPublicKey )
SHA1 Fingerprint: 88c43163b01d2e0d8fddc44320ee967e6f2077d8
Common Name: HTTPS-Self-Signed-Certificate-ba0115a4076d6ffc
Issuer: HTTPS-Self-Signed-Certificate-ba0115a4076d6ffc
Serial Number: 0
Not Before: 2011-01-01
Not After: 2030-12-27
Public Key Algorithm: _RSAPublicKey
Signature Algorithm: sha256
Key Size: 2048
Exponent: 65537
DNS Subject Alternative Names: []
Certificate #0 - Trust
Hostname Validation: FAILED - Certificate does NOT match server hostname
Android CA Store (9.0.0_r9): FAILED - Certificate is NOT Trusted: self signed certificate
Apple CA Store (iOS 14, iPadOS 14, macOS 11, watchOS 7, and tvOS 14):FAILED - Certificate is NOT Trusted: self signed certificate
Java CA Store (jdk-13.0.2): FAILED - Certificate is NOT Trusted: self signed certificate
Mozilla CA Store (2021-01-24): FAILED - Certificate is NOT Trusted: self signed certificate
Windows CA Store (2021-02-08): FAILED - Certificate is NOT Trusted: self signed certificate
Symantec 2018 Deprecation: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain: HTTPS-Self-Signed-Certificate-ba0115a4076d6ffc
Verified Chain: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Contains Anchor: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: ERROR - Could not build verified chain (certificate untrusted?)
Certificate #0 - Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: NOT SUPPORTED - Extension not found
Certificate #0 - OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
* SSL 2.0 Cipher Suites:
Attempted to connect using 7 cipher suites; the server rejected all cipher suites.
* TLS 1.0 Cipher Suites:
Attempted to connect using 80 cipher suites.
The server accepted the following 5 cipher suites:
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA 168
The group of cipher suites supported by the server has the following properties:
Forward Secrecy INSECURE - Not Supported
Legacy RC4 Algorithm INSECURE - Supported
* TLS 1.3 Cipher Suites:
Attempted to connect using 5 cipher suites; the server rejected all cipher suites.
* Elliptic Curve Key Exchange:
The server does not support cipher suites with ECDH key exchanges.
* TLS 1.1 Cipher Suites:
Attempted to connect using 80 cipher suites.
The server accepted the following 5 cipher suites:
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA 168
The group of cipher suites supported by the server has the following properties:
Forward Secrecy INSECURE - Not Supported
Legacy RC4 Algorithm INSECURE - Supported
* Downgrade Attacks:
TLS_FALLBACK_SCSV: OK - Supported
SCAN COMPLETED IN 9.10 S
------------------------
According to the Security tab in the Developer Tools in the Edge browser it connected with:
The connection to this site is encrypted and authenticated using TLS 1.2, RSA, and AES_128_CBC with HMAC-SHA1.
Now to apply my ciphersuite:
ssl server-policy "specific-ciphersuites"
ciphersuite dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_128_cbc_sha256 dhe_rsa_aes_256_cbc_sha dhe_rsa_aes_256_cbc_sha256 ecdhe_ecdsa_aes_128_cbc_sha256 ecdhe_ecdsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_256_cbc_sha384 ecdhe_ecdsa_aes_256_gcm_sha384 ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_128_gcm_sha256 ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_256_gcm_sha384 rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha256 rsa_aes_256_cbc_sha rsa_aes_256_cbc_sha256
quit
undo ip https enable
ip https ssl-server-policy "specific-ciphersuites"
ip https enable
Edge now shows the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
The nmap test with the same command now shows only an open port:
Starting Nmap 7.70 ( https://nmap.org ) at 2021-09-09 14:47 CEST
Nmap scan report for switch2.domain.local (10.10.10.10)
Host is up (0.0010s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/https?
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.95 seconds
sslyze shows that it cannot connect:
CHECKING HOST(S) AVAILABILITY
-----------------------------
switch2.domain.local:443 => ERROR: Probing failed: could not find a TLS version and cipher suite supported by the server; discarding scan.
SCAN COMPLETED IN 0.13 S
------------------------