Hi all,

I have a 433 routerboard / routeros v3.30 that a while ago had been successfully been configured as a wireless hotspot, complete with an SSL certificate. This worked fine.

Having just tried to connect to the hotspot after some time not using the hotspot, I suddenly receive the following error:

Secure Connection Failed

An error occurred during a connection to secure.zzz.com.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

The cert on the routerboard is still present and still valid:

Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa
0 KR name="cert1" subject=O=secure.zzz.com,OU=Go to https:,,www.thawte.com,
repository,index.html,OU=Thawte SSL123 certificate,
OU=Domain Validated,CN=secure.zzz.com
issuer=C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,
OU=Certification Services Division,CN=Thawte Server CA,
emailAddress=server-certs@thawte.com
serial-number="[snip]"
invalid-before=jun/19/2009 00:00:00 invalid-after=jun/20/2010 23:59:59
ca=yes

I have uncovered a few threads complaining of this problem, but could find no clear indication as to the cause of the problem, or the solution.

I have tried to delete and re-import the certificate, and this has made no difference.

Is there a way to get a list of ciphers supported by the routerboard?

Bizarrely, connecting using openssl complains of a completely different error:

graham-leggetts-macbook-pro-3:thawte minfrin$ openssl s_client -connect secure.zzz.com:443
CONNECTED(00000003)
20502:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:596:

Does this look familiar to anybody?

Regards,
Graham
--

I haven't seen that error, but I have dealt with secure sites before. Is "/system clock" set correctly? That encryption has a date/time limit.

The clock was wrong (ntp problems, which I'm battling with separately), but the clock wasn't related in this particular case.

I managed to restore the hotspot by deleting the certificate from the routerboard, reimporting it, then setting the "ssl-certificate" parameter within the hotspot-profile back to "cert1" from "(unknown)". Without this last step, SSL wouldn't work.