How to Fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Table of Contents
Online browsing and shopping have become much safer nowadays due to SSL certificates’ introduction. Their purpose is to encrypt online sessions and protect user data from theft.
While extremely beneficial, SSL certificates may sometimes misfire and disrupt your online sessions. The error ERR_SSL_VERSION_OR_CIPHER_MISMATCH pertains to one of these problems.
In this guide, you’ll learn about the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error, what causes it, and how to fix it.
To establish a secure connection, your browser and the website start negotiating an encryption channel on which the data will be exchanged. During this process, called TLS handshake, your browser sends a “hello” message to the web server, which responds by sending details of its certificate, and after the identities of both parties are validated, the encrypted connection initiates.
However, if the site’s SSL certificate is an older version or its cipher suite is misconfigured, your browser won’t recognize it, and you’ll receive the message ERR_SSL_VERSION_OR_CIPHER_MISMATCH. You are likely to see the following screen.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH is one of the many SSL errors you may encounter. Learn more in this guide on what is an SSL certificate and how to fix SSL errors.
What Causes the ERR_SSL_VERSION_OR_CIPHER_MISMATCH Error?
The ERR_SSL_VERSION_OR_CIPHER_MISMATCH error usually occurs due to problems with the website’s SSL certificate. However, other factors can also contribute to the issue. In general, the usual causes can be grouped into two categories.
Problems originating from the website
- Outdated TLS/SSL version – The website’s SSL certificate version is older, and the visitor’s browser doesn’t support it.
- Invalid SSL certificate – The website may be using an SSL certificate issued for another domain.
- Obsolete cipher suite – Cipher suites are sets of rules on how the encrypted connection should be established. Browsers may produce the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error in case a website’s web server uses an outdated cipher suite that is no longer supported.
- CDN misconfiguration – Many websites use content delivery networks (CDN) to reduce loading times. However, misconfigured TLS/SSL settings in a CDN can cause the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
Visitor-side problems
- Outdated browser or operating system (OS) – The visitor’s browser or operating system is outdated and doesn’t recognize later SSL/TLS versions.
- Corrupted browser cache – An expired or corrupted browser cache can sometimes trigger the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error for certain websites.
- Firewall or antivirus program – Misconfigured security rules or strict firewall rules can block your connection to some websites.
- QUIC protocol – QUIC is a next-generation encrypted transport layer protocol designed to facilitate safer and faster HTTP traffic. Many modern browsers have already adopted it. However, being an experimental feature, it may conflict with some website configurations, resulting in the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error message.
How to Fix the ERR_SSL_VERSION_OR_CIPHER_MISMATCH Error as a Website Owner
When the error originates from the website, it’s up to the webmaster or owner to fix it. If you are just a visitor, you can only report the error and wait until it’s resolved.
However, if your website is affected, you should take immediate action to correct it. Otherwise, you may lose substantial traffic since the website will remain inaccessible until fixed.
Below, you will find the standard solutions for fixing the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
Check Your SSL Certificate
A quick online SSL certificate check on your website can save you a lot of time when fixing the error. You can focus on the actual problem and not lose time in actions that won’t contribute to its resolution.
Use an online checker to inspect your SSL certificate and identify outstanding problems. One of the most popular ones is the Qualys SSL Labs tool. Here is how to use it.
- Open the SSL Labs test tool home page.
- Enter your website URL in the Hostname field and press Submit.
- Wait until the tool inspects your certificate and generates a report.
- Once the report is ready, you can check the TLS version, cipher suites, and all other aspects of your certificate.
Detected problems will be highlighted in red. Focus on them, as they are likely the cause.
Check for an Old TLS version
TLS (Transport Layer Security) is the fundamental technology on which modern SSL certificates are based. It has undergone several revisions, and nowadays, the older TLS versions 1.0 and 1.1 are largely deprecated. Modern browsers are likely to display the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error message on websites using legacy TLS versions.
Your certificate’s version should be at least TLS 1.2 or, ideally, TLS 1.3. SiteGround provides free Let’s Encrypt SSL certificates configured with the latest TLS version 1.3.
Check if your website uses old TLS versions. You can easily find out the version using an SSL checker like the SSL Labs test tool or your browser.
On Google Chrome, right-click on your website’s page and select Inspect to open the DevTools console. Select the Security tab, where you can see the TLS version your website uses.
Check for an SSL Certificate Name Mismatch
A very common reason for the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error is a mismatch between the website URL and the hostnames for which the SSL certificate is issued.
Usually, a mismatch occurs due to the following reasons:
- The domain name alias that the website uses doesn’t match the domain name for which the SSL certificate is issued. For example, your website address is https://www.yourdomain.com, and the certificate covers only https://yourdomain.com (without www).
This issue can result from installing an SSL too soon after pointing your domain to your web server. The DNS propagation takes up to 72 hours, and you must wait for a while before installing the certificate. Otherwise, either yourdomain.com or www.yourdomain.com might not have propagated, and as a result, the certificate authority (CA) couldn’t issue the SSL for both aliases.
To fix the problem, make sure that both A records for yourdomain.com and www.yourdomain.com point to your hosting server and reinstall the certificate.
Also, consider using a Wildcard SSL (*.yourdomain.com) that acts as a catch-all certificate and covers your domain and all first-level subdomains (like www.yourdomain.com and mail.yourdomain.com).
Afterward, use an online SSL checker like Qualys SSL Labs to verify that it covers both aliases. - Your domain’s A record points to an old IP address where your website no longer exists. It opens another website, and its certificate doesn’t cover your domain name. Hence, visitors who try to open your website receive the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
You can easily fix this by pointing your domain to your hosting server. If your website is hosted on SiteGround, read this guide on how to point your website to SiteGround.
Check for the RC4 Cipher Suite
The RC4 Cipher Suite is not considered safe anymore, and most modern browsers don’t support it. Thus, if your website’s certificate uses it, most visitors will see the ERR_SSL_VERSION_OR_CIPHER_MISMATCH since their browsers consider the connection compromised.
Once again, you can use the Qualys SSL Labs tool to establish if your SSL certificate utilizes the RC4 cipher suite. On the results page, scroll down to the Protocol Details section. The status for RC4 will be either No (Your website doesn’t use RC4) or Yes (RC4 is in use).
If your website uses the RC4 cipher suite and you manage your own server, we recommend disabling it and replacing it with a different cipher suite by adjusting the server configuration.
SiteGround users can skip this step. We have deprecated the RC4 cipher suite and replaced it with safer ones.
Enable TLS 1.3 Support on the Web Server
An older TLS version is a common reason for the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. Modern browsers don’t support SSL certificates using outdated TLS protocols.
Thus, if your web server configuration supports only old TLS versions, many visitors will see the error when visiting your website.
The solution is straightforward – configure your web server to use at least TLS 1.2 or, even better, TLS 1.3. If you don’t manage your server, ask your hosting provider to upgrade the TLS version.
You won’t have to ask for this if your website is hosted at SiteGround. We strive to keep up with the latest security trends and have configured our servers with TLS 1.3 years ago.
Check the SSL Status in Cloudflare
The ERR_SSL_VERSION_OR_CIPHER_MISMATCH error is common for websites that just started using Cloudflare’s content delivery network (CDN). It is caused by the Universal SSL that the CDN utilizes by default.
Simply put, Cloudflare needs some time to install the Universal SSL for your website. If you just pointed your domain to them and activated Cloudflare CDN right away, your website might still be missing the Universal SSL and produce the certificate mismatch error.
Your best course of action is to pause Cloudflare. Your website will load from the origin server while the Universal SSL is being issued.
You can pause the CDN from the Overview section in your Cloudflare dashboard. Find the Advanced Actions at the right of the screen and select Pause Cloudflare on this site.
Then, give it a few hours and enable Cloudflare again. The error should be resolved.
Alternatively, you can disable the Universal SSL and reactivate it. Log into your Cloudflare dashboard and navigate to the SSL/TLS > Edge Certificates tab. Scroll down until you reach the bottom of the page and click on Disable Universal SSL.
Wait for a while, and then activate the Universal SSL.
How to Fix the ERR_SSL_VERSION_OR_CIPHER_MISMATCH Error as a Visitor
The ERR_SSL_VERSION_OR_CIPHER_MISMATCH error might not originate from the website. If other visitors can access the website, your local device has a problem that needs to be resolved.
Keep reading to find out how to fix local issues that might be causing the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
Check your internet connection
Occasionally, something as trivial as a poor internet connection can cause the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH. Try to restart your computer and router and check the website again.
If you still get the error, test with another network. For instance, if you use a Wi-Fi network, try from your mobile network.
Delete Browser Cache and Cookies
Your browser might keep outdated cache files for a website. As a result, you may see the ERR_SSL_VERSION_OR_CIPHER_MISMATCH. The error might go away after clearing your browser cache and cookies.
For Google Chrome, open the kebab menu > More Tools > Clear Browsing Data. In the pop-up window, select Cookies and other site data and Cached images and files, and press Clear Data.
For other browsers and mobile devices, read the following articles:
- How to clear cache and cookies on desktop browsers
- How to clear cache and cookies on Android
- How to clear cache and cookies on iPhone
Clear the SSL State
Your operating system stores certificates of websites you already visited. It is a very practical feature that speeds up subsequent visits to the same sites.
However, a site’s certificate might have changed while your OS keeps an outdated SSL cache. In such a case, your browser may produce the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
The remedy is to clear the SSL state of certificates in your operating system. Read on to learn the particular steps for clearing the SSL state on Windows and macOS.
Clear the SSL State on Windows
Clearing the SSL state may vary slightly depending on your Windows version. The following steps describe the process on Windows 10.
- Open the Windows menu in the lower left corner.
- Type control panel in the search bar to find the Control Panel.
- Click on the Control Panel icon.
- Choose the Network and Internet section.
- On the following page, select Internet Options (Internet Properties).
- An Internet Properties dialog box will pop up. Select the Content tab, and then press the Clear SSL state.
Delete an SSL on Mac
You can delete an SSL certificate from your Mac to remove the expired SSL cache, which may trigger the certificate name mismatch error. Follow the steps below.
- From the menu bar, select Go > Utilities.
- On the next window, choose Keychain Access.
- Next, open the Certificates tab.
- Untrusted or invalid certificates are marked in red. Right-click on the certificate of the website you have trouble accessing, and select Delete.
Use a New Operating System
Older operating systems, like Windows XP, miss out on many security and performance upgrades, including the support of modern TLS certificates. Visitors who use them will see the SSL version error on websites that moved to the latest TLS protocols.
So, if you often receive the error and haven’t updated your operating system recently, it’s time to consider moving to a new OS version.
Disable Your Antivirus or Firewall
Antivirus and firewall applications protect your device from various online threats. But sometimes, they might be too restrictive and prevent connecting to particular websites. These restrictions can manifest as the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
You can test if your security software is causing trouble by disabling it. Then, visit the website that produced the error. If the error is gone, your antivirus or firewall application is the culprit.
Consider contacting the software’s support team or using an alternative security software.
Turn on TLS 1.3 Support
The latest versions of all popular browsers support TLS 1.3 natively, and it is enabled by default. But if you use an older browser version, you may have to explicitly enable the support of TLS 1.3.
Follow the instructions below for enabling the protocol on older versions of Google Chrome.
- In the address bar, type chrome://flags and hit Enter.
- In the search bar, type TLS and press Enter.
- Find the option TLS 1.3 support and set it to Enabled.
- Restart Chrome and revisit the website that produced the error.
Turn Off the Experimental QUIC Protocol
QUIC is a relatively new transport layer network protocol designed to reduce latency and speed up your browser connection. Most servers, applications, and browsers support it, but it could still cause conflicts with specific website configurations. One of the errors denoting this issue is ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
Test if the QUIC protocol is disrupting your connection by turning it off. Follow the steps below to disable QUIC on Google Chrome.
- Type chrome://flags/ in the address bar.
- On the following page, type QUIC in the search bar.
- Set the option Experimental QUIC protocol to Disabled.
- Restart Chrome and try visiting the website again.
Conclusion
ERR_SSL_VERSION_OR_CIPHER_MISMATCH is a frustrating error indicating SSL certificate problems with the SSL/TLS version or cipher suite. Not to mention, it can turn away visitors from your website as it appears dangerous or suspicious.
However, ERR_SSL_VERSION_OR_CIPHER_MISMATCH is not that hard to deal with, like most SSL-related errors. Only a limited number of issues cause it, and with the proper investigation and knowledge, you can quickly solve it.
This guide examined the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error, its usual triggers, and the most common solutions. We are sure you won’t have trouble getting rid of it the next time you encounter it.
FAQ
Can I encounter the “err_ssl_version_or_cipher_mismatch” error on all web browsers, or is it specific to certain browsers?
The ERR_SSL_VERSION_OR_CIPHER_MISMATCH error is not specific to a single browser. You can encounter it on Google Chrome, Mozilla Firefox, Safari, Microsoft Edge, etc.
However, you may see different variations of the error. Some of them include:
- The client and server don’t support a common SSL protocol version or cipher suite.
- X uses an unsupported protocol.
Can a firewall or antivirus software cause “err_ssl_version_or_cipher_mismatch” error?
Yes, a firewall or antivirus software can trigger the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. Usually, the problem stems from overly strict security rules or misconfigurations that block the connection to a website.
Disable or pause your security software and test connecting to the website. If the error is gone, it confirms that the antivirus or firewall software is the problem.
Contact the software support team or consider using an alternative program.
Is it possible to bypass the “err_ssl_version_or_cipher_mismatch” error?
If its web server allows it, you can bypass the SSL connection and access a website over the unsecured HTTP protocol. However, unencrypted connections to websites are not advised, as they hide many risks like data theft, leaked credit card details, exposure of sensitive information, etc.
Can a mismatched SSL version or cipher affect my website’s SEO ranking?
Yes. If the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error originates from your SSL certificate, it can negatively impact your website’s SEO ranking. The mismatched SSL version or cipher prevents visitors from opening your website. As a result, your web traffic and SEO ranking will suffer.
That’s why fixing the error should be your top priority.
Does upgrading my SSL certificate or changing the cipher suite fix the “err_ssl_version_or_cipher_mismatch” error?
Visitors might receive the ERR_SSL_VERSION_OR_CIPHER_MISMATCH message if your web server uses an outdated TLS version or cipher suite their browsers don’t support.
So yes, upgrading your SSL certificate’s TLS version and cipher suite can fix the error.
What are some recommended SSL configurations to prevent the “err_ssl_version_or_cipher_mismatch” error?
To prevent the ERR_SSL_VERSION_OR_CIPHER_MISMATCH, keep the following practices.
- Configure the latest TLS version on your web server. Preferably, your website should use TLS 1.3, but if not possible – at least TLS 1.2.
- Configure your web server to use secure cipher suites. Replace the RC4 cipher suite with more trusted and modern suites.
- Ensure your website’s domain points to the correct IP address.
- Check if your SSL certificate is issued for the correct domain and its aliases (like yourdomain.com and www.yourdomain.com) to prevent a certificate name mismatch.
- If you use a CDN, inspect its proxy settings to ensure they don’t cause the cipher mismatch error.