[Solved] SSL Cipher mismatch can't get to port 10000

4 posts / 0 new
Last post
#1 Wed, 12/20/2017 - 10:15
paulzag

[Solved] SSL Cipher mismatch can't get to port 10000

I changed SSL CipherSuite at 1:30am and am now locked out of Webmin/Virtualmin port 10000 with a ERR_SSL_VERSION_OR_CIPHER_MISMATCH (in Chrome - similar errors in Firefox and Safari)

I reverted the changes to /etc/apache2/apache2.conf and /etc/apache2/mods-enabled/ssl.conf so my sites are back up, but I can't get to port 10,000, I remember reading that there is a separate web server for Webmin but can't find details.

I can SSH into the server but GUI is out.

Wed, 12/20/2017 - 12:58
scotwnw

Have you tried ssh in and restarting webmin? On Ubuntu its 'sudo service webmin restart'. ANd check if port 10000 is listening with 'netstat -lN'. Thats small L big N. Should see something like

'tcp 0 0 0.0.0.0:webmin 0.0.0.0:* LISTEN'

OR... Create an SSH tunnel and try connect to webmin via localhost? Maybe can get in that way if its a firewall issue.

ssh -D:port username@server.com Example ssh -D:2000 admin@server.com

Then set your browser to use socks5 proxy on 127.0.0.1:2000, But be sure 127.0.0.1 is not in the 'No Proxy for' list as is by default for firefox.

All browser traffic should now go through the ssh tunnel and give access to webmin as if you where on the local machine. Browse to https://127.0.0.1:10000.

Wed, 12/20/2017 - 18:05
paulzag

I restarted webmin (I'm on Ubuntu 16.04)

# netstat -lN | grep webmin
tcp        0      0 0.0.0.0:webmin          0.0.0.0:*               LISTEN    

I can't see how it's a firewall issue as the error is not access, but SSL Version or Cipher Mismatch and that was what I was adjusting when I broke it. I can get to port 20000. If I go to port 10000 on any of the domains hosted by that server I get the SSL Mismatch.

Just in case I've opened up port 10000 $ iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT

This site can’t provide a secure connection
srv1.domain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
HIDE DETAILS
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.

Looking at Apache configs I can see ports 80 and 443 configured. What and where is the configuration for port 10000? That's the broken cipher/version setup that I changed in Webmin > Webmin Configuration > SSL Encryption > Allowed SSL ciphers > Listed Ciphers

Wed, 12/20/2017 - 19:07
paulzag

Fixed it! Webmin runs it's own perl web server

# nano /etc/webmin/miniserv.conf

Then I edited the line to be

ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

Finally

service webmin restart

How did I find it?

netstat -nap

gave me perl listening on port 10000. Then

ps -ef | grep perl
/usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf

gave me the configuration file.

Topic locked