Under advanced settings of firefox you should be able to set the encryption. By default SSL3.0 and TLS1.0 should be checked, so if firefox is trying to create ssl 3.0 connectons try unchecking the ssl 3.0s setting.

在 Firefox 的高级设置下，您应该能够设置加密。默认情况下，应选中 SSL3.0 和 TLS1.0，因此如果 firefox 尝试创建 ssl 3.0 连接，请尝试取消选中 ssl 3.0s 设置。

if that doesn't work, try searching the about:config page for "ssl2" My Firefox has settings with ssl2 set to false by default...

如果这不起作用，请尝试在 about:config 页面中搜索“ssl2”我的 Firefox 设置默认 ssl2 设置为 false...

Given what you've tried and the error messages, I'd say this was more to do with the exact cipher algorithm used rather than the TLS/SSL version. Are you using a non-Sun JRE by any chance, or a different vendor's security implementation? Try a different JRE/OS to test your server if you can. Failing that you might just be able to see what's going on with Wireshark(with a filter of 'tcp.port == 443').

鉴于您的尝试和错误消息，我认为这更多地与所使用的确切密码算法有关，而不是与 TLS/SSL 版本有关。您是否正在使用非 Sun JRE 或其他供应商的安全实现？如果可以，请尝试使用不同的 JRE/OS 来测试您的服务器。如果失败，您可能只能看到Wireshark发生了什么（带有“tcp.port == 443”的过滤器）。

The first thing I would check is the config for mod_nss. It is the odd one out, for it is yours and there is none in the world like it :-) Whereas if there was some huge bug in Firefox or mod_nss itself, I guess you'd have found out about it by now in your google quest. The fact that you've fiddled with the config (e.g. disabling SSL3, and various other random tweaks), is also suspicious.

我要检查的第一件事是 mod_nss 的配置。这是一个奇怪的问题，因为它是你的，世界上没有像它这样的 :-) 而如果 Firefox 或 mod_nss 本身存在一些巨大的错误，我想你现在已经在你的谷歌搜索。您对配置进行了摆弄（例如禁用 SSL3 和其他各种随机调整）的事实也令人怀疑。

I'd back track to a very vanilla mod_nss config and see if that works. Then change things systematically towards your current config until you can reproduce the problem. By the sound of it the source of the error is somewhere in the cipher spec config of mod_nss and the related protocol negotiation stuff. So maybe you inadvertently changed something there when trying to turn off SSLv3 (incidentally, why disable SSL3? Normally people disable V2?).

我会回到一个非常普通的 mod_nss 配置，看看它是否有效。然后根据您当前的配置系统地更改内容，直到您可以重现该问题。从它的声音来看，错误的根源在 mod_nss 的密码规范配置和相关的协议协商内容中的某个地方。因此，也许您在尝试关闭 SSLv3 时无意中更改了某些内容（顺便说一句，为什么要禁用 SSL3？通常人们禁用 V2？）。

One other thing to check is that you're on the latest mod_nss and it's not a known bug in that. The fact that it manages to start the session and then fails later is interesting - it suggests that maybe it is trying to renegotiate the session and failing to negotiate ciphers at that point. So it might be the symmetric ciphers. Or it could simply be an implementation bug in your version of mod_nss that somehow garbles the protocol.

要检查的另一件事是您使用的是最新的 mod_nss 并且它不是已知的错误。它设法启动会话然后稍后失败的事实很有趣 - 这表明它可能正在尝试重新协商会话并且在那时未能协商密码。所以它可能是对称密码。或者它可能只是您的 mod_nss 版本中的一个实现错误，以某种方式使协议混乱。

One other idea, and this is a wild guess, is the browser is trying to resume a session which was negotiated with SSLv3 before you disabled it, and something breaks when trying to resume that session when V3 is turned off, or maybe mod_nss just doesn't implement it right.

另一个想法，这是一个疯狂的猜测，是浏览器正在尝试恢复在您禁用 SSLv3 之前与 SSLv3 协商的会话，并且当 V3 关闭时尝试恢复该会话时会出现问题，或者 mod_nss 只是没有不正确地实施它。

The java/tomcat stuff seems like a red herring as unless I've misunderstood your description, none of that is involved in the SSL handshake/protocol.

java/tomcat 的东西似乎是一个红鲱鱼，除非我误解了您的描述，否则 SSL 握手/协议中没有涉及这些内容。

If you review the process of SSL negotiation at Wikipedia, you will know that at the beginning ClientHello and ServerHello messages are sent between the browser and the server.

如果你在维基百科查看 SSL 协商的过程，你就会知道一开始 ClientHello 和 ServerHello 消息是在浏览器和服务器之间发送的。

Only if the cyphers provided in ClientHello have overlapping items on the server, ServerHello message will contain a cypher that both sides support. Otherwise, SSL connection will not be initiated as there is no common cypher.

只有ClientHello中提供的cyphers在服务器上有重叠项，ServerHello消息中才会包含一个双方都支持的cypher。否则，由于没有通用密码，将不会启动 SSL 连接。

To resolve the problem, you need to install cyphers (usually at OS level), instead of trying hard on the browser (usually the browser relies on the OS). I am familiar with Windows and IE, but I know little about Linux and Firefox, so I can only point out what's wrong but cannot deliver you a solution.

要解决这个问题，你需要安装cyphers（通常在OS级别），而不是在浏览器上努力（通常浏览器依赖于OS）。我熟悉Windows和IE，但我对Linux和Firefox知之甚少，所以我只能指出问题所在而不能提供解决方案。

I've had the same problem; to solve was enough to enable all the SSL schemas in "about:config". I was finding them by filtering with ssl. First I anabled all options for afret disabling the unnecessary ones.

我遇到了同样的问题；to solve 足以启用“about:config”中的所有 SSL 模式。我是通过用 ssl 过滤来找到它们的。首先，我启用了所有选项以禁用不必要的选项。

If you get the no cipher overlap error on firefox, and you have left it at default settings, you are using what must be a very insecure site trying to use a very weak "export grade" cipher. Use of these ciphers is discouraged these days and I personally would stop using a site trying to use such a weak cipher.

如果您在 firefox 上遇到无密码重叠错误，并且您将其保留为默认设置，那么您正在使用一个非常不安全的站点，试图使用非常弱的“出口级”密码。这些天不鼓励使用这些密码，我个人会停止使用尝试使用这种弱密码的网站。

"Error code: ssl_error_no_cypher_overlap" error message after login, when Welcome screen expected--using Firefox browser

登录后出现“错误代码：ssl_error_no_cypher_overlap”错误消息，当欢迎屏幕出现时——使用 Firefox 浏览器

Solution

解决方案

Enable support for 40-bit RSA encryption in the Firefox Browser: 1: enter 'about:config' in Browser Address bar 2: find/select "security.ssl3.rsa_rc4_40_md5" 3: set boolean to TRUE

在 Firefox 浏览器中启用对 40 位 RSA 加密的支持： 1：在浏览器地址栏中输入“about:config” 2：查找/选择“security.ssl3.rsa_rc4_40_md5” 3：将布尔值设置为 TRUE

"Error code: ssl_error_no_cypher_overlap" error message after login, when Welcome screen expected--using Firefox browser Solution 1: enter 'about:config' in Browser Address bar 2: find/select "security.ssl3.rsa_rc4_40_md5" 3: set boolean to TRUE

登录后出现“错误代码：ssl_error_no_cypher_overlap”错误消息，当欢迎屏幕出现时——使用火狐浏览器解决方案1：在浏览器地址栏中输入'about:config' 2：查找/选择“security.ssl3.rsa_rc4_40_md5” 3：设置布尔值真的

I had the same issue while renewing the certificate for our server at www.tpsynergy.com . After importing the new server certificate and restarting the tomcat, the error we were getting was ERR_SSL_VERSION_OR_CIPHER_MISMATCH. After lot of research, I used this link https://www.sslshopper.com/certificate-key-matcher.htmlto compare the csr (certificate signing request to the actual certificate). They both did not match. So I created a new csr and obtained a new certificate and installed the same. It worked.

我在 www.tpsynergy.com 上为我们的服务器更新证书时遇到了同样的问题。导入新的服务器证书并重新启动 tomcat 后，我​​们得到的错误是 ERR_SSL_VERSION_OR_CIPHER_MISMATCH。经过大量研究，我使用此链接https://www.sslshopper.com/certificate-key-matcher.html来比较 csr（证书签名请求与实际证书）。他们俩都不匹配。所以我创建了一个新的 csr 并获得了一个新证书并安装了相同的证书。有效。

So the full steps for the process are

所以这个过程的完整步骤是

1. From the same server where the certificate will be installed, create CSR

1. 从将安装证书的同一台服务器上，创建 CSR

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tpsynergy.keystore (change the domain name as needed)

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tpsynergy.keystore（根据需要更改域名）

While creating this, it will ask for first name and last name. Do not give your name, but use the domain name. For example I gave it as www.tpsynergy.com

在创建它时，它会询问名字和姓氏。不要提供您的姓名，而是使用域名。例如我给它作为 www.tpsynergy.com

2.keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tpsynergy.keystore

2.keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tpsynergy.keystore

This will create a csr.csr file in the same folder. copy the contents of this to the godaddy site and create the new certificate.

这将在同一文件夹中创建一个 csr.csr 文件。将其内容复制到 Godaddy 站点并创建新证书。

1. The downloaded certificate zip file will have three files gd_bundle-g2-g1.crt gdig2.crt youractualcert.crt

2. You will need to download the root cert gdroot-g2.crt from godaddy repository.

3. Copy all these files to the same directory from where you created the CSR file and where the keystore file is located.

4. Now run the below commands one by one to import the certs into the keystore

   keytool -import -trustcacerts -alias root -file gd_bundle-g2-g1.crt -keystore tpsynergy.keystore

   keytool -import -trustcacerts -alias root2 -file gdroot-g2.crt -keystore tpsynergy.keystore

   keytool -import -trustcacerts -alias intermediate -file gdig2.crt -keystore tpsynergy.keystore

   keytool -import -trustcacerts -alias tomcat -file yourdomainfile.crt -keystore tpsynergy.keystore

5. Ensure that server.xml file in conf folder has this entry

6. Restart the tomcat

3. 下载的证书 zip 文件将包含三个文件 gd_bundle-g2-g1.crt gdig2.crt youractualcert.crt

4. 您需要从 godaddy 存储库下载根证书 gdroot-g2.crt。

5. 将所有这些文件复制到您创建 CSR 文件和密钥库文件所在的同一目录中。

6. 现在一一运行以下命令将证书导入密钥库

   keytool -import -trustcacerts -alias root -file gd_bundle-g2-g1.crt -keystore tpsynergy.keystore

   keytool -import -trustcacerts -alias root2 -file gdroot-g2.crt -keystore tpsynergy.keystore

   keytool -import -trustcacerts -alias middle -file gdig2.crt -keystore tpsynergy.keystore

   keytool -import -trustcacerts -alias tomcat -file yourdomainfile.crt -keystore tpsynergy.keystore

7. 确保 conf 文件夹中的 server.xml 文件有这个条目

8. 重启tomcat

What worked for me is I:

对我有用的是我：

1. Went to about:config.
2. Typed "security" in the search box.
3. Set all of the returned entries to their defaults.
4. Typed "ssl" in the search box.
5. Set all of the returned results to their defaults.
6. Enabled ssl2.
7. Disabled ssl3.
8. Restarted Firefox.

1. 去 about:config。
2. 在搜索框中输入“安全”。
3. 将所有返回的条目设置为其默认值。
4. 在搜索框中输入“ssl”。
5. 将所有返回的结果设置为其默认值。
6. 启用 ssl2。
7. 禁用 ssl3。
8. 重新启动了 Firefox。

Note about restarting Firefox: When I do start it very soon after closing it, it often has a file access problem, which requires me to delete places.sqliteand places.sqlite-journalin C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\n18091xv.default. This causes me to lose my history, plus bookmarks have to be restored from a backup each time this happens. I wait from five to ten minutes or more to avoid this hassle.

注意有关重新启动Firefox的：当我关闭它后很快启动它，它往往有一个文件访问的问题，这就要求我删除places.sqlite和places.sqlite期刊在C：\ WINDOWS \应用数据\ Mozilla的\火狐\Profiles\n18091xv.default。这会导致我丢失我的历史记录，而且每次发生这种情况时都必须从备份中恢复书签。我等待五到十分钟或更长时间以避免这种麻烦。

Running Firefox v3.5.1 on WinMe

在 WinMe 上运行 Firefox v3.5.1