Skip to content

SSL_ERROR_PROTOCOL_VERSION_ALERT: Causes

Key idea:

SSL_ERROR_PROTOCOL_VERSION_ALERT — TLS alert 70 (protocol_version). Server does not support the requested TLS version. Typically happens when the browser tries TLS 1.3 but server is stuck on TLS 1.2 (OK) or 1.0/1.1 (fail — browsers disabled them). Alternative: browser offers old TLS, server requires newer.

Below: causes, fixes, FAQ.

Check your site's SSL →

Common Causes

  • Server stuck on TLS 1.0/1.1 (blocked by Chrome/Firefox since 2020)
  • OpenSSL < 1.0.2 — no ALPN + TLS 1.2
  • Legacy nginx (1.13-) — TLS 1.2 only, no 1.3
  • Downgrade attack prevention: TLS_FALLBACK_SCSV detected
  • Custom TLS config disabled the requested version

Step-by-Step Fix

  1. Enable TLS 1.2 + 1.3 in nginx: ssl_protocols TLSv1.2 TLSv1.3;
  2. Update OpenSSL to 3.x
  3. Check supported TLS: openssl s_client -connect example.com:443 -tls1_3
  4. Enterno SSL Checker lists all supported TLS versions
  5. See the nginx SSL install guide

Check SSL Certificate →

Related SSL Errors

TL;DR

The SSL_ERROR_PROTOCOL_VERSION_ALERT indicates a TLS version mismatch between a client's browser and a server, preventing secure connections. To resolve this, ensure your server supports modern TLS versions (1.2 or 1.3) by updating your server configuration and certificates. Use openssl s_client -connect yourdomain.com:443 -tls1_2 to verify supported protocols.

Understanding SSL_ERROR_PROTOCOL_VERSION_ALERT

The SSL_ERROR_PROTOCOL_VERSION_ALERT error occurs when a client attempts to establish a secure connection using a version of TLS that the server does not support. This mismatch is often due to outdated server configurations or deprecated TLS versions. As of October 2023, TLS 1.2 and TLS 1.3 are the recommended versions for secure communications, as earlier versions such as TLS 1.0 and 1.1 are considered insecure and are often disabled in modern browsers.

When a browser encounters this error, it typically means that the server is configured to accept only older versions of TLS that the browser has stopped supporting. This situation can arise in various scenarios, such as when using legacy systems or when server software has not been updated to comply with current security standards.

To troubleshoot this issue, you can use tools such as openssl to check which TLS versions your server supports. For example, running the following command can help identify the supported protocols:

openssl s_client -connect yourdomain.com:443 -tls1_2

If the connection fails with a protocol version error, you will need to update your server configuration to support at least TLS 1.2. This may involve modifying your web server settings, updating your SSL/TLS certificates, or upgrading your server software.

Practical Steps to Fix SSL_ERROR_PROTOCOL_VERSION_ALERT

To resolve the SSL_ERROR_PROTOCOL_VERSION_ALERT error, follow these steps to ensure your server supports the necessary TLS versions:

  1. Check Current TLS Configuration: Use the openssl command as shown above to determine the supported TLS versions on your server. If TLS 1.2 or 1.3 is not listed, proceed to the next steps.
  2. Update Server Software: Ensure that your web server software (such as Apache, Nginx, or IIS) is up-to-date. For example:
sudo apt-get update && sudo apt-get upgrade
  1. Modify Server Configuration: Update your server configuration files to enable TLS 1.2 or 1.3. For Apache, you can edit the ssl.conf file and include:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  1. Restart the Server: After making changes, restart your web server to apply the new configuration:
sudo systemctl restart apache2
  1. Verify Changes: Re-run the openssl command to confirm that the server now supports TLS 1.2 or 1.3.
  2. Check SSL/TLS Certificates: Ensure your SSL/TLS certificates are valid and configured correctly. Use certbot for Let's Encrypt certificates:
sudo certbot renew

After following these steps, test the connection using your browser again. If the error persists, consider consulting your server documentation or reaching out for professional support to ensure compliance with modern security standards.

CertificateExpiry, issuer, domains (SAN)
ChainIntermediate and root CA validation
TLS ProtocolTLS version and cipher suite
VulnerabilitiesHeartbleed, POODLE, weak ciphers

Why teams trust us

TLS 1.3
supported
Full
CA chain check
<2s
result
30/14/7
days-to-expiry alerts

How it works

1

Enter domain

2

TLS chain verified

3

Expiry date & vulnerabilities

What Does the SSL Check Cover?

SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.

Certificate Details

Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).

Chain of Trust

Full chain verification: from leaf certificate through intermediates to root CA.

TLS Analysis

Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.

Expiry Alerts

Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.

DV vs OV vs EV Certificates

DV (Domain Validation)
  • Confirms domain ownership only
  • Issued in minutes automatically
  • Free via Let's Encrypt
  • Suitable for most websites
  • Most common certificate type
OV / EV
  • Organization (OV) or Extended Validation (EV)
  • Issued in 1-5 business days
  • Costs $50 to $500/year
  • For finance, e-commerce, government sites
  • Increases user trust

Who uses this

DevOps

SSL certificate monitoring

Security

TLS config audit

SEO

HTTPS as ranking factor

E-commerce

customer trust

Common Mistakes

Expired certificateBrowsers block sites with expired SSL. Set up auto-renewal or monitoring.
Incomplete certificate chainWithout intermediate CA, some browsers and bots cannot verify the certificate.
Mixed content on HTTPS siteHTTP resources on an HTTPS page — the browser lock icon disappears, reducing trust.
Using TLS 1.0/1.1Legacy TLS versions have known vulnerabilities. Use TLS 1.2+ or 1.3.
Domain mismatch in certificateThe certificate must cover all site domains, including www and subdomains.

Best Practices

Set up auto-renewalLet's Encrypt + certbot with cron — certificate renews automatically every 60-90 days.
Enable HSTSStrict-Transport-Security header forces browsers to always use HTTPS.
Use TLS 1.3TLS 1.3 is faster (1-RTT handshake) and safer — legacy ciphers removed.
Monitor expiration datesCreate a monitor on Enterno.io — get notified well before expiration.
Verify chain after renewalAfter certificate renewal, confirm that intermediate certificates are installed.

Get more with a free account

SSL certificate monitoring, check history and alerts 30 days before expiry.

Sign up free

Learn more

Sources

Frequently Asked Questions

Do Chrome and Firefox block the same?

Yes, since 2020: TLS 1.0 + 1.1 disabled. Safari, Edge followed. TLS 1.2 is the minimum.

How to find out which TLS my server runs?

<a href="/en/ssl">Enterno SSL</a> shows supported versions. Or <code>openssl s_client -connect host:443 -tls1_3</code>.

Worked yesterday, broke today — what?

Usually a browser auto-update. Chrome 84+ (July 2020) enabled TLS 1.0/1.1 block by default.

Is TLS 1.2 safe in 2026?

Yes. TLS 1.3 is better, but 1.2 is secure with proper ciphers. Both are accepted standards.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.