I use one of my website as a test for various TLS techniques. Recently I added OCSP Must-Staple to this domain. After a week I got a complaint from a user they were unable to visit the website. They got the error from Opera, Edge and Chrome. The Chrome error was the clearest: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
.
After some testing I found out their BitDefender doing SSL intercepting was the culprit. Now, I don't want a discussion about whether companies should be doing such a thing. I presume ERR_SSL_VERSION_OR_CIPHER_MISMATCH
is just BitDefender saying: "I am unable to do anything with this, let's just block the user from visiting by negotiating no valid SSL version / ciphers with the browser". But I don't understand how the Must-Staple in the certificate caused this.
Maybe it wasn't actually the Must-Staple, or maybe it was in combination with some other header. I have HPKP headers which would be the next possible candidate, but I have had those for almost a year now. I am not that well versed in VM's and WireShark to do much investigating. Could someone help determine the actual cause to satisfy my curiosity?