it has Cisco IOS XE Software, Version 16.12.04

  - Does it work for you from a standard Windows 10 PC for instance, because if you are on a Windows Server OS , sometimes enforced policies may lead to  extra restrictions (?)

 M.

Hi Marce

it's giving same error when i am using Windows 10PC.  

using chrome : i am getting the following

This site can’t provide a secure connection10.250.0.254 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.

using IE:

Can’t connect securely to this page

This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

Your TLS security settings aren’t set to the defaults, which could also be causing this error.

message on switch:

5 11:29:59.037: %WEBSERVER-5-CONNECTION_FAILED: Switch 1 R0/0: nginx: connection failed from host 10.250.0.1 - Cipher Mismatch/No shared cipher

 - At a first glance available ciphers between the browser and switch do not match, check for instance  TLSv1.1 & TLSv1.2 settings in the browser. For the 3650 use   # nmap --script ssl-enum-ciphers <3650-ip-address>.  or show  ip http server all 
                     Check for potential influences of stuff like firewalls , proxies , AV software

 M.

I check the browser:  TLS1.2 and TLS1.1 are enabled.  

i used the command show  ip http server all,  shows the following

#show ip http server all
HTTP server status: Enabled
HTTP server port: 80
HTTP server active supplementary listener ports:
HTTP server authentication method: local
HTTP server auth-retry 0 time-window 0
HTTP server digest algorithm: md5
HTTP server access class: 0
HTTP server IPv4 access class: None
HTTP server IPv6 access class: None
HTTP server base path:
HTTP File Upload status: Disabled
HTTP server upload path:
HTTP server help root:
Maximum number of concurrent server connections allowed: 300
Maximum number of secondary server connections allowed: 50
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 600 seconds
Maximum number of requests allowed on a connection: 25
Server linger time : 60 seconds
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: aes-128-cbc-sha dhe-aes-128-cbc-sha
ecdhe-rsa-aes-128-cbc-sha rsa-aes-cbc-sha2 rsa-aes-gcm-sha2
dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 ecdhe-rsa-aes-cbc-sha2
ecdhe-rsa-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2
HTTP secure server TLS version: TLSv1.2 TLSv1.1
HTTP secure server client authentication: Disabled
HTTP secure server PIV authentication: Disabled
HTTP secure server PIV authorization only: Disabled
HTTP secure server trustpoint:
HTTP secure server peer validation trustpoint:
HTTP secure server ECDHE curve: secp256r1
HTTP secure server active session modules: ALL

HTTP server application session modules:
Session module Name Handle Status Secure-status Description
GSIFF950F66C8-webui 8 Active Active wsma infra
HOME_PAGE 3 Active Active IOS Homepage Server
HTTP_IFS 1 Active Active HTTP based IOS File Server
NBAR2 2 Active Active NBAR2 HTTP(S) Server
BANNER_PAGE 4 Active Active HTTP Banner Page Server
WEB_EXEC 5 Active Active HTTP based IOS EXEC Server
IXI 6 Active Active IOS XML Infra Application Server
GSIFF8AE75F80-lic-a 7 Active Active license agent app
GSIFF954C69B0-webui 9 Active Active wsma infra
NG_WEBUI 10 Active Active Web GUI

HTTP server current connections:
local-ipaddress:port remote-ipaddress:port in-bytes out-bytes
Nginx Internal Counters:
Nginx pool = 915
Active connection = 0
Nginx pool available = 900
Maxmum connection Hit = 0

i tried this and it works

  conf t
no crypto pki trustpoint TP-Self-Signed-xxxxxxxxxx
no ip http server
no ip http secure-server
ip http server
ip http secure-server
ip http authentication