Skip to content
← All articles

Fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH: Causes and Solutions

ERR_SSL_VERSION_OR_CIPHER_MISMATCH is a browser error that appears when the client and server cannot agree on a common TLS protocol version or cipher suite during the TLS handshake. The cause is usually server-side: an outdated TLS 1.0/1.1 configuration, missing modern ciphers, or an incorrectly installed certificate that prevents negotiation.

This guide explains what the error means, walks through every server-side and client-side cause, shows you how to tell them apart, and gives concrete diagnostic and repair commands for nginx and Apache, plus browser-side workarounds. It is written for site owners and system administrators.

What ERR_SSL_VERSION_OR_CIPHER_MISMATCH means

When a browser opens an SSL/TLS проверку connection, it sends the server a list of supported TLS versions and TLS cipher suites 2026 in a ClientHello message. The server picks a shared option and replies with ServerHello. If there is no overlap — no common protocol version or no common cipher suite — the handshake aborts and Chrome shows ERR_SSL_VERSION_OR_CIPHER_MISMATCH. Firefox shows SSL_ERROR_NO_CIPHER_OVERLAP; Safari shows "Safari can't establish a secure connection."

The key word is mismatch. This error is not about an expired certificate by itself or a wrong domain — it fails at the very first stage, before certificate validation. The two sides literally could not find a common language for encryption.

Causes of ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Causes fall into two broad groups: server-side (the vast majority) and client-side. Let's cover both.

Outdated TLS versions (1.0 and 1.1)

The most common cause after 2020. Chrome, Firefox, Safari, and Edge have all disabled TLS 1.0 and TLS 1.1 as insecure. If your server is configured to speak only these protocols, a modern browser finds no common version and throws the error. The fix is to enable TLS 1.2 and TLS 1.3 on the server.

Incompatible cipher suites

Even when the TLS version matches, both sides must agree on a specific cipher suite. If the server offers only outdated ciphers (RC4, 3DES, DES, export-grade, or ciphers without forward secrecy) that browsers dropped long ago, there is no overlap. You need a modern list: ECDHE with AES-GCM and ChaCha20-Poly1305.

Weak and legacy ciphers: RC4, 3DES, DES

RC4 is prohibited in TLS (RFC 7465 bans it outright), 3DES is vulnerable to the Sweet32 attack, and export-grade ciphers are a 1990s relic. Browsers removed them from their default lists. A server relying on such ciphers is doomed to mismatch with modern clients.

Certificate problems

Although the error is primarily about protocol and ciphers, a misconfigured certificate can also trigger it: a wrong key format, a certificate/cipher type mismatch (for example an ECDSA key with RSA-only ciphers in the config), or a self-signed or corrupted certificate that stops the server from completing negotiation. An expired certificate usually gives a different error (NET::ERR_CERT_DATE_INVALID), but combined with a restrictive config it can surface as a cipher mismatch.

Server-side or client-side error

The first practical step is to locate the problem. If every user sees the error on every device, it is almost certainly the server. If only you see it on one device but the site loads on your phone over mobile data, the cause is local (an outdated browser, antivirus, system clock, or a corporate proxy). The table below helps you diagnose.

Cause typeSymptomHow to checkFix
Server: old TLSError for everyone, all devicesopenssl s_client -connect host:443 -tls1_2Enable TLS 1.2/1.3 in server config
Server: weak ciphersError in new browsers, old ones workCheck on /en/ssl or SSL LabsSet a modern ssl_ciphers list
Server: certificateHandshake aborts for allopenssl s_client -connect host:443 -showcertsReinstall certificate and chain
Client: old browserError for one user onlyOpen the site in another browser/deviceUpdate browser and OS
Client: antivirus/proxyError disappears without antivirusTemporarily disable HTTPS scanningTurn off SSL inspection in the software
Client: system clockTLS errors on many sitesCheck the system date and timeSync the clock via NTP

How to fix it on the server

If diagnosis pointed to the server, edit your web server configuration to enable current protocols and ciphers. Below are proven settings for nginx and Apache that match Mozilla's recommendations (Intermediate profile).

nginx configuration

In your site's server block, set the protocol versions and cipher list. TLS 1.3 cipher suites are fixed by the standard; for TLS 1.2 we specify ECDHE-first suites:

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate     /etc/ssl/example.com/fullchain.pem;
    ssl_certificate_key /etc/ssl/example.com/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
}

After editing, test the syntax and reload nginx:

sudo nginx -t
sudo systemctl reload nginx

Apache configuration

In your virtual host file (for example /etc/apache2/sites-enabled/example.com.conf) or the SSL config, set:

<VirtualHost *:443>
    ServerName example.com

    SSLEngine on
    SSLCertificateFile      /etc/ssl/example.com/fullchain.pem
    SSLCertificateKeyFile   /etc/ssl/example.com/privkey.pem

    SSLProtocol             -all +TLSv1.2 +TLSv1.3
    SSLHonorCipherOrder     off
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
</VirtualHost>

Validate the configuration and reload Apache:

sudo apachectl configtest
sudo systemctl reload apache2

Verify the result with openssl and curl

Confirm the server now accepts TLS 1.2 and returns a valid cipher. The openssl s_client command shows the negotiated protocol version and cipher suite:

openssl s_client -connect example.com:443 -tls1_2
# Look for: Protocol : TLSv1.2 and Cipher : ECDHE-RSA-AES128-GCM-SHA256

For a quick check with curl and a verbose handshake log:

curl -v --tlsv1.2 https://example.com/
# The line '* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256' confirms success

How to fix it in the browser

If the error appears only for you while the site loads on other devices, the problem is client-side. Work through these steps in order:

  1. Update your browser and OS. Old versions of Chrome or Firefox, or an outdated Windows/Android, may not support modern ciphers.
  2. Clear the SSL state and cache. On Windows: Internet Options → Content → Clear SSL state. Restart the browser.
  3. Check the date and time. A wrong system clock breaks TLS on many sites — sync it via NTP.
  4. Disable antivirus HTTPS scanning. Kaspersky, ESET, Avast, and others intercept TLS and can force incompatible ciphers.
  5. Check proxy and VPN. Corporate proxies with SSL inspection are a common cause. Disable them temporarily to test.
  6. Try incognito mode. This rules out interference from browser extensions.

Important: do not try to "re-enable old TLS 1.0/1.1" in the browser as a workaround — it lowers your own security. The right fix is to correct the server.

How to check your site's SSL

Before changing the configuration, it helps to see the full picture: which TLS versions and ciphers the server actually offers, whether the certificate chain is valid, and when it expires. Our free SSL certificate checker shows the negotiated protocol, cipher suite, validity period, and trust chain in a couple of seconds — no local utilities required. It is a fast way to confirm that ERR_SSL_VERSION_OR_CIPHER_MISMATCH is gone after your fixes.

Useful related reading: fixing ERR_SSL_PROTOCOL_ERROR, why the SSL handshake fails, and a comparison of TLS 1.3 versus TLS 1.2.

Frequently Asked Questions

Why did this error appear suddenly on a site that used to work?

Most likely your browser updated and disabled the outdated protocol or cipher your server relied on. Chrome and Firefox gradually remove TLS 1.0/1.1 and weak ciphers. A server that worked yesterday can become incompatible overnight. Update the configuration to TLS 1.2/1.3 with modern cipher suites and access is restored.

Is this my server's problem or my computer's?

Check the site from another device and over mobile data. If everyone sees the error, the server is at fault: old TLS or weak ciphers. If only you see it, the cause is local — an outdated browser, antivirus with HTTPS scanning, a wrong system clock, or a corporate proxy. The table in this article helps you pinpoint the source.

Should I keep TLS 1.0 and 1.1 support for old clients?

No. TLS 1.0 and 1.1 are officially deprecated (RFC 8996) and insecure. Keeping them means leaving a vulnerability open for a negligible share of devices. Modern operating systems and browsers have supported TLS 1.2 for years. Configure TLS 1.2 and 1.3 — that covers all current clients without compromising security.

How do I see which ciphers my server offers?

Run openssl s_client -connect host:443 -tls1_2 and read the Cipher line in the output, or use an online check on the /en/ssl page. It shows the full list of negotiable cipher suites, the protocol version, and a security rating of your configuration — with no tools to install on your computer.

Does reissuing the certificate help?

Only if the original problem was the certificate itself — corrupted, wrong key format, or a type mismatch (ECDSA versus RSA). In most cases ERR_SSL_VERSION_OR_CIPHER_MISMATCH is caused by protocol and cipher settings, not the certificate, so fix ssl_protocols and ssl_ciphers first and keep reissuing as a last resort.

Sources

Check your website right now

Check your site's SSL →
More articles: SSL/TLS
SSL/TLS
Certificate Transparency Logs: Detecting Rogue Certificates and Monitoring Your Domain
16.03.2026 · 325 views
SSL/TLS
TLS 1.3: What Changed and Why It Matters
16.03.2026 · 177 views
SSL/TLS
Expired SSL Certificate: How to Fix NET::ERR_CERT_DATE_INVALID
15.04.2026 · 293 views
SSL/TLS
Free SSL via Let's Encrypt: Install certbot in 10 Minutes
15.04.2026 · 304 views