SSL_ERROR_NO_CIPHER_OVERLAP

• Firefox 78+ (2020) fully disabled TLS 1.0/1.1; FF 100+ — RC4, 3DES, MD5
• Inspect: nmap --script ssl-enum-ciphers -p 443 yourhost — shows what the server offers
• nginx: ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:...; ssl_prefer_server_ciphers off
• Apache: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1; SSLCipherSuite TLSv1.3 + ECDHE-* for TLS 1.2
• If you need legacy-client compatibility — Mozilla SSL Config Generator → intermediate profile

# 1. What does your server offer?
nmap --script ssl-enum-ciphers -p 443 example.com

# 2. Reference nginx block (Mozilla intermediate profile, 2026):
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;

# 3. Verify after restart:
echo | openssl s_client -connect example.com:443 -tls1_2 -servername example.com 2>/dev/null | grep -E 'Protocol|Cipher'

• SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
• TLS handshake

The SSL_ERROR_NO_CIPHER_OVERLAP error in Firefox indicates that the browser cannot find a common cryptographic protocol with the server. To fix this, ensure that your server supports modern TLS versions (1.2 and 1.3) and ciphers. Check your server configuration, and if necessary, update it to include compatible cipher suites and protocols. Additionally, confirm that your SSL certificate is correctly installed and not expired.

The SSL_ERROR_NO_CIPHER_OVERLAP error occurs when a web browser, such as Firefox, is unable to negotiate a secure connection with a server due to incompatible cipher suites or outdated TLS protocols. This issue typically arises when the server is configured to support only older, insecure protocols (like TLS 1.0 or 1.1) or when it lacks the necessary cipher suites that a modern browser requires.

To delve deeper into the problem, it’s essential to understand the role of SSL/TLS and ciphers in securing web communications. SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols designed to provide secure communication over a computer network. Ciphers are algorithms used to encrypt and decrypt data transmitted over these secure connections. If the server does not support any ciphers that the browser can use, the connection cannot be established, resulting in the SSL_ERROR_NO_CIPHER_OVERLAP error.

Common reasons for this error include:

• Server is configured with outdated TLS versions.
• Incompatible cipher suites are set on the server.
• Expired or misconfigured SSL certificates.

To resolve the issue, server administrators need to ensure that their configurations meet current security standards.

To effectively address the SSL_ERROR_NO_CIPHER_OVERLAP error, follow these practical steps to ensure your server is configured correctly:

1. Check TLS Version Support: Ensure your server supports TLS 1.2 and 1.3. You can check the supported protocols using the following command:

openssl s_client -connect yourdomain.com:443 -tls1_2

Replace yourdomain.com with your actual domain. If the connection is successful, your server supports TLS 1.2. Repeat the command with -tls1_3 to check for TLS 1.3 support.

1. Update Cipher Suites: Review and update your server's cipher suite configuration. Ensure you are using strong ciphers that are compatible with modern browsers. The following configuration is an example for an Nginx server:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';

Make sure to include ciphers that are widely supported while avoiding weak ones. You can use tools like SSL Labs to test your site’s SSL configuration and identify weak ciphers.

1. Verify SSL Certificate Installation: Ensure your SSL certificate is installed correctly and has not expired. You can check your certificate's validity with the following command:

openssl s_client -connect yourdomain.com:443 -showcerts

This command will display the certificate chain and its validity period. Look for any errors or expiration dates that indicate a problem.

1. Restart Your Server: After making changes to the TLS version or cipher suite configuration, restart your server to apply the settings. For example, if using Nginx, you can restart it with:

sudo systemctl restart nginx

For Apache, use:

sudo systemctl restart apache2

After making these adjustments, test your website in Firefox to see if the error persists. If you continue to experience issues, consider consulting your hosting provider or reviewing server logs for additional insights.