SSL_ERROR_NO_CYPHER_OVERLAP after updating ciphers for Enforce Server browser
search cancel

SSL_ERROR_NO_CYPHER_OVERLAP after updating ciphers for Enforce Server browser


Article ID: 278303


Updated On:


Data Loss Prevention Enterprise Suite


You are trying to change the ciphers used by the Enforce Server browser certificate, and have replaced the default list of ciphers with newer ones, and restarted services (as per suggestions in  Receiving cipher errors when logging in to the Enforce console (

However, after the services have restarted, your browser returns the following error which differs from the KB above:

Secure Connection Failed

An error occurred during a connection to localhost. Cannot communicate securely with peer: no common encryption algorithm(s).



Supported versions of DLP

Firefox browser


The error originates from your internet web browser, because the ciphers as configured in your DLP Tomcat implementation are not matching the list of possible ciphers presented by your browser. Therefore, the page is not allowed to load and presents the error.


The ciphers listed in the server.xml file for Tomcat must be among those presented by the browser used to access the Enforce Server.

Verification of ciphers in your browser is outside the scope of Broadcom support, but instructions to access those available in Firefox are available in the "Additional Information" section below.

Of note:

  1. Firefox uses the convention of OpenSSL to name its ciphers, which differs from the IANA format used by DLP in most of our configuration files. Which you can see as given here: Security/Cipher Suites - MozillaWiki.
  2. As an example, one the default ciphers in current versions of DLP is "TLS_RSA_WITH_AES_256_CBC_SHA". In the Firefox configuration, that appears as "security.ssl3.rsa_aes_256_sha". Note that it doesn't include the "TLS" and "CBC" items in the name.
  3. In this case also, the setting for "ssl3" in Firefox stands for all versions of TLS - up to TLSv1.2. For TLSv1.3 ciphers, the setting is "tls13", but DLP is not compatible with those ciphers yet.
  4. After setting the cipher(s) in your DLP Tomcat configuration to the desired one present in your browser, be sure to restart the SymantecDLPManager service on the Enforce Server.
  5. Logging into the UI after ward should no longer present the error.




Additional Information

To access the list of ciphers in Firefox, see instructions on this page: Configuration Editor for Firefox | Firefox Help (