ERR_SSL_VERSION_OR_CIPHER_MISMATCH: what it means and how to fix it
You open a site and Chrome refuses to load it with a blunt message:
This site can't provide a secure connection
example.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unlike an expired or wrong-hostname certificate, this error happens before trust is ever evaluated. The browser and the server could not agree on how to talk securely, so the handshake never finishes. The certificate might be perfectly valid; you just never got far enough to check it.
What the handshake is trying to agree on
Every TLS connection starts with the client offering a list: the TLS versions it supports (1.2, 1.3) and the cipher suites it is willing to use. The server picks one of each from the intersection with its own list. If that intersection is empty for either the protocol version or the cipher, there is nothing to negotiate, and the connection aborts with this error.
So the message is really saying one of two things:
- No shared protocol version. The server only speaks a version the browser has dropped, or vice versa.
- No shared cipher suite. They share a protocol version but no common cipher.
The common causes
The server still requires TLS 1.0 or 1.1. Modern Chrome, Firefox, and Safari removed support for TLS 1.0 and 1.1 in 2020. A server hard-pinned to those versions now has no overlap with any current browser. This is the single most common cause on older appliances, load balancers, and legacy intranet boxes.
The server only offers weak or deprecated ciphers. RC4, 3DES, and export-grade suites have been removed from browsers. A server configured years ago to support only those will fail every modern client.
An RSA-only browser meeting an ECDSA-only certificate (or the reverse). If the server presents only an ECDSA certificate but the negotiated cipher needs RSA, or the cipher list and certificate key type do not line up, there is no usable suite.
A TLS-terminating proxy or CDN misconfiguration. Cloudflare, a corporate middlebox, or a misconfigured reverse proxy can restrict the version or cipher set on its own, independent of your origin.
Wrong port or a non-TLS service. Pointing HTTPS at a port that speaks plain HTTP (or something else entirely) produces the same failure, because the server never sends a valid ServerHello.
How to diagnose it
First confirm what the server actually offers. From a machine with openssl:
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3
If -tls1_2 and -tls1_3 both fail but an older -tls1 succeeds, the server is stuck on a protocol no browser will accept anymore. To see the cipher list the server accepts, tools like nmap --script ssl-enum-ciphers -p 443 example.com enumerate every suite.
If you would rather not install anything, run the host through the SSL checker. It reports the negotiated protocol version and certificate details, so a server that can only complete a handshake on an obsolete version shows up immediately. To inspect a certificate file you already hold and confirm its key type (RSA vs ECDSA), the SSL decoder parses it locally in the browser.
The fix
The repair is almost always on the server, not the client:
- Enable TLS 1.2 and 1.3 and stop requiring 1.0/1.1. In nginx:
ssl_protocols TLSv1.2 TLSv1.3;. In Apache:SSLProtocol -all +TLSv1.2 +TLSv1.3. - Offer a modern cipher list. Use the current Mozilla "intermediate" recommendation rather than a hand-rolled list from a decade ago.
- Match the certificate to the ciphers. If you serve an ECDSA certificate, make sure ECDSA suites are enabled; ideally serve both an RSA and an ECDSA certificate so every client finds a path.
- Check the proxy or CDN layer, not just the origin. The restriction is often there.
If the error appears for only one user and not others, the problem is on their end: an outdated browser, a date set wrongly on their machine, or antivirus software intercepting TLS with its own weak settings.
Before and after any change, point the host at the SSL checker to confirm it now negotiates TLS 1.2 or 1.3 cleanly.