After our internet host, Bluehost, updated our server last night, our website would not load anymore when called with https on most browsers, including Chrome, Firefox and Safari.
The error message we were getting was:
This site can't provide a secure connection www.domain.com uses an unsupported protocol ERR_SSL_VERSION_OR_CIPHER_MISMATCH
1) Only in https
This is only happening when trying to load our website with https. The website was loading fine in http.
2) Due to RC4
This seems to be an issue with the fact that RC4_128_SHA is enabled as a SSL Cipher Suites on our Apache server.
You can easily verify if RC4 is enabled on your server / website using this site:
https://www.ssllabs.com/ssltest/analyze.html
4) RC4 Considered Compromised by Most Browsers
RC4 is now considered compromised by Chrome, Firefox and Safari.
5) How to Resolve the Issue: Disable RC4
We first tried disabling RC4 by editing the cipher suites in our Apache Server through WHM. This did not work for us even after rebooting Apache.
We ended up having to edit directly the httpd.conf file for Apache (for our virtual host), located under /user/local/apache/conf with this line:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH
6) Ongoing: Edit httpconf after each Bluehost Maintenance
Whenever Bluehost does maintenance work on our VPS server, they change the SSL cipher suite for our VPS back back to the default ones (probably because they default to whatever is showing in WHM which is not in sync with our httpd.conf file). We’ve contacted Bluehost support team twice to let them know about this issue with their VPS configuration but they seem to be ignoring our reports.