It’s common for users to face SSL errors, including ERR_SSL_VERSION_OR_CIPHER_MISMATCH, online. This occurs when your browser finds an issue with a site’s SSL certificate version. Most people may feel confused when they encounter this error message — but it’s easy to put right.
In this detailed guide, we’ll explore six solutions for the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error to help you get your site back on track.
What Does the ERR_SSL_VERSION_OR_CIPHER_MISMATCH Error Mean?
Browsers check a website’s SSL certificate automatically each time a user attempts to visit it. They do this to verify that the site is legitimate and has put the right protocol in place to ensure that the user’s connection is secure. Referred to as the ‘Transport Layer Security (TLS) handshake’, this process makes sure that a user’s device and a web server communicate securely.
What if a web server and browser are unable to support a common SSL protocol version or cipher suite during this process? The browser would present the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error notification automatically.
What are the Primary Triggers for the ERR_SSL_VERSION_OR_CIPHER_MISMATCH Error?
Essentially, a browser triggers the error message to keep you safe when browsing and prevent you from accessing sites that may not be secure. Additionally, a site may utilize an unsupported protocol version with weaknesses in its security. This could pose a risk to your device and the data sent to the site.
A web server and browser can fail to support a common SSL protocol for a number of reasons, including:
- Outdated TLS versions: A web server might use an outdated TLS version which is unsupported by modern browsers.
- Invalid certification: The website’s SSL certificate could be assigned to an alternative domain name alias, which would cause a certificate mismatch error.
- Browser cache: A browser’s cached data could fail to reflect the site’s security update.
- Outdated OS or browser: The latest TLS version might not be supported by an older operating system (OS) or browser.
- Antivirus software: If antivirus software is set up incorrectly, it could cause a false alarm and lead to an ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
- QUIC protocol: This Google project, which serves as an alternative to popular security solutions, can cause the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
However, the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error only affects sites using SSL certificates and HTTPS encryption to facilitate secure access and information exchange. You can identify websites using these encryptions by the padlock symbol on the leftmost side of their address bars.
But the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error can also affect sites using Cloudflare CDN as well as security add-ons.
Fixing the ERR_SSL_VERSION_OR_CIPHER_MISMATCH Error
While the ERRSSL_VERSION_OR_CIPHER_MISMATCH error may seem complex and even daunting to newcomers, it’s actually fairly straightforward to fix.
Below, we’ll explore six ways to resolve the error.
Verify the SSL/TLS Certification
Check your site’s SSL/TLS certificate to find out whether it’s still in date and valid. If it’s outdated or invalid, your SSL/TLS certificate could be responsible for the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
You can use a number of online tools to check your site’s SSL certificate, including Qualys SSL Labs, which will assign a grade to the SSL connection and identify mismatches with the web server. Additionally, the tool will notify you if the SSL/TLS certificate is out of date and in need of updating.
The Qualys SSL Labs tool is simple to use. Enter your site’s URL, sit back, and relax while the tool prepares the results of its server test. During the test, the tool will assess the SSL/TLS certificate to verify that it is valid and trustworthy. After this, it will examine three key elements of the server’s setup:
- Protocol support
- Cipher support
- Key exchange support
Once the tool has completed this, it will calculate the test results and provide you with a grade (e.g. an ‘A’ or ‘B’). By using Qualys SSL Labs, you can also identify other problems known to trigger the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error message. These include the following:
- SSL certificate name mismatch
- Outdated TLS version
- Enabled RC4 cipher suite
Let’s take a close look at each:
SSL Certificate Name Mismatch
The SSL Labs tool may identify that a name mismatch is responsible for the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error in quick time.
A mismatch occurs when a website’s SSL certificate doesn’t align with the URL presented in the web browser. For example, this would apply if an SSL certificate carried the domain name www.testwebsite.com but you got to the site via https://testwebsite.com or another alias.
Fortunately, you can avoid this by redirecting traffic from the URL named on the SSL certificate to the one shown in the browser. As wildcard certificates allow the use of several hostnames under a single certificate, they can also prevent this problem from occurring.
If you want to check the domain names on a site’s certificate, Google Chrome’s Developer Tools makes it easy:
- Right-click on any position in the browser window, then click on ‘Inspect’,
- Tap the ‘Security’ option.
- While in the ‘Security’ tab, you can check the certificate and connection settings (with the TLS version). Click on the ‘View certificate’ option to view the certificate’s details.
- When the new window opens, navigate to the ‘Details’ tab.
- Locate the ‘Subject Alternative Name’ then click on it. In the lower box, you will see the registered domain names.
A certificate name mismatch may occur if the domain points to an older IP address where the website doesn’t exist anymore. You would need to point the domain name from the older IP address to the new one — that could solve the certificate name mismatch issue.
Outdated TLS Version
Performing the SSL Labs tool test will reveal which version of TLS that your site runs — this should be TLS 1.2 at least, as browsers no longer support TLS 1.0 and 1.1. So, if your site is still using an outdated TLS version, that could be to blame for the ERRSSL_VERSION_OR_CIPHER_MISMATCH error message.
You will need to speak to your web host about upgrading your website’s TLS version if this is the case.
RC4 Cipher Suite
With the SSL Labs test, you can check the cipher suite currently used by a web server. What should you do if a server is still using the RC4 cipher suite? Disable it and set up the server to utilize an alternative cipher suite instead.
There’s a simple reason for this: Google Chrome, Microsoft Edge, and various other browsers no longer support RC4 cipher suite because it’s not considered to be a safe option.
However, enterprises still use this suite, as changing the server setup of a more complicated environment can be a demanding, time-consuming task.
Use Cloudflare to Set Up Your SSL
The ERR_SSL_VERSION_OR_CIPHER_MISMATCH error may be triggered by a misconfiguration on Cloudflare and SSL settings. When this is to blame for the error message, the SSL Labs tool will show that the certificate is invalid.
Do you have Cloudflare’s Universal SSL installed? You need to set it up on the internal dashboard on Cloudflare — and here’s how:
- Sign in to your Cloudflare dashboard.
- Choose ‘SSL/TLS’ on the dashboard’s top panel.
- Find the Edge Certificates tab.
- Scroll along the page to the bottom, where you’ll see Disable Universal SSL. Tap the Disable Universal SSL in the column on the right-hand side.
- The process will end after a couple of minutes. When it’s done, click on the ‘Enable Universal SSL’ button to re-enable it.
- Continue with emptying the cache: click on &lsquoCaching’ on the dashboard’s top panel.
- Make your way to the ‘Configuration’ tab.
- Tap the ‘Purge Everything’ button in the ‘Purge Cache’ area at the top.
A few minutes after you finish these steps, go back to your site to verify that the problem has been fixed.
Turn on TLS 1.3 Support
With TLS, the connection between a web server and your chosen browser is secured, a layer which is SSL technology’s successor.
The majority of browsers (including Google Chrome) support TLS 1.3 already. But if you rely on a version of Chrome that’s older than the latest, you can activate your browser’s TLS support with the following steps:
- Launch Chrome on your device.
- Enter ‘chrome://flags’ in the address bar and tap the ‘Enter’ button.
- Type ‘TLS’ in the search field to find it.
- Switch the TLS 1.3 support to ‘Enable’ to turn it on.
It may be the case, though, that the site you intend to visit runs on version 1.0 or 1.1 of TLS. The connection will be denied by more recent browsers, and the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error message may be displayed.
Recent versions of Chrome include a feature that allows you to enforce deprecation of past TLS versions. With that in mind, you can turn that off to connect to a site using an older version of TLS. Just follow these steps:
- Launch Chrome.
- Enter ‘chrome://flags’ into the address bar, then tap the ‘Enter’ button.
- Type ‘TLS’ into the search field.
- Look for ‘Enforce deprecation of legacy TLS versions’.
- Open the drop-down menu then select ‘Disable’.
But that’s not the only way to do it. You can enable each version of TLS on your system instead. Follow these steps to do that:
- Enter ‘Internet Options’ into the Windows search bar.
- Tap on ‘Internet Options’.
- The ‘Internet Properties’ dialog box will appear. When it does, open the tab titled ‘Advanced’.
- Scroll down the checkbox list until you see ‘Use TLS’ items.
- Check each TLS version then tap the ‘OK’ button.
- To check that the new settings start working, just restart Chrome.
Please note: You may not want to keep these settings in effect, as it can compromise the safety of your browsing. Using this method only verifies whether an older TLS version is causing the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error message on your website.
Turn Off the QUICK Protocol
Google’s experimental Quick UDP Internet Connection (QUIC) protocol was designed to enhance connections for web apps utilizing the User Datagram Protocol (UDP). While QUIC is recognized as being an fantastic alternative to other popular security solutions like TLS/SSL, HTTP/2 and TCP, it can trigger warning messages — including the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error message.
Turning off the QUIC protocol could fix the problem. Let’s find out how to do that in Chrome:
- Launch Chrome and enter ‘chrome://flags’ in the address bar.
- Run a search for ‘QUIC’.
- Look for the ‘Experimental QUIC Protocol’.
- Open the drop-down menu then tap ‘Disable’.
Please note: You can turn off the QUIC protocol in other ways, e.g. using the Firewall Policy, but it’s recommended that you avoid those as they demand significant technical knowhow.
Empty Your Cache/History
Data from sites that you visit is stored in the history and cache of your browser. Within the cache, data includes files, images, and text that enables the site to load more quickly on your subsequent visits.
But storing old cache can be a mistake, particularly if those websites visited have updated their system already. Your cache could lead to security issues and SSL errors if you don’t empty the cache for a while.
So, you may fix the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error message if you delete the cache and restart it.
When using Chrome, take these steps to delete the cache:
- Tap the ellipsis in the top-right corner of the browser, then click on ‘Settings’.
- Scroll down the list of options, then look for the ‘Privacy and security’ area. Tap the ‘Clear browsing data’ button.
- You’ll see a new window pop up: check the ‘Cached images and files’ option. Use the drop-down menu to choose the deletion time-frame, then tap the ‘Clear data’ button.
- To complete the process, restart Chrome.
Now that you have emptied the cache, go back to your site to see if the error has been fixed. However, if the problem continues, you might need to use the ‘clear SSL state’ option in your browser from the OS’s settings.
- Enter ‘Internet Options’ in the Windows search bar.
- Tap the ‘Internet Options’ button.
- When the ‘Internet Properties’ dialog box appears, open the ‘Content’ tab.
- Tap the ‘Clear SSL State’ button, followed by ‘OK’.
Deactivate Your Firewall or Antivirus Software
If you have set up your firewall or antivirus software incorrectly, that could lead to security issues with your connection — including the ERR_SSL_VERSION_OR_CHIPER_MISMATCH error.
Why? Because poor setup or the software’s certificates may trigger false alarms and mark a safe site as a risky one. To find out whether it’s responsible for the error, it’s advised that you turn off the antivirus software on a temporary basis to avoid major issues.
Still, for antivirus software an automatic SSL scanning, turning that feature off should remove the error message without disabling the entire antivirus system.
Handling a Persistent ERR_SSL_VERSION_OR_CHIPER_MISMATCH Error
Any of these six solutions should take care of your ERR_SSL_VERSION_OR_CHIPER_MISMATCH error message, but there could still be cases when they don’t work. For instance, older browsers or older operating systems may also trigger the error.
You can find out whether this is the issue in a simple way: go to the site on a different device that is up to date. If that is effective, it indicates that the problem is related to your OS or browser.
Older versions of browsers might be unable to support recent versions of software, including TLS 1.3, but it could be that an older OS version is to blame because modern browsers no longer support them.
Still, reinstalling the browser could solve the problem. Just uninstall the browser from your device, then install the newest version from the browser’s official site. But reinstalling the browser won’t fix the issue if you rely on an older OS like Windows Vista or XP. It’s likely that these operating systems would be incompatible with the browser’s most up-to-date version. If that were the case, you would have to update the OS to the popular Windows 10 system instead.
The ERR_SSL_VERSION_OR_CHIPER_MISMATCH error occurs when a browser and web server offer no support for a common SSL protocol version. The error may appear on sites using Cloudflare’s CDN and security add-ons. Potential reasons could be a certificate name mismatch, old TLS version, or an issue with setting up the site’s SSL settings.
Fortunately, you can try multiple methods to solve the ERR_SSL_VERSION_OR_CHIPER_MISMATCH error:
- Use the Qualys SSL Labs tool to verify your SSL/TLS certificate and reveal problems, such as SSL certificate name mismatches and identify the SSL/TLS current version.
- Set up SSL with Cloudflare by installing a fresh SSL certificate in case the previous certificate has become outdated. It could help to fix the problem if you disable, reenable, and empty the SSL cache through the Cloudflare panel.
- If you use an older browser version, turn on TLS 1.3 support. Alternatively, if you have a modern browser and the site supports TLS 1.0 or 1.1 only, deprecate the enforcement of TLS 1.3.
- Turn off your browser’s QUIC protocol.
- Empty the history and cache in your browser, because an older configuration could disrupt your connection.
- Clear the SSL state.
- Turn off your antivirus software on a temporary basis to identify whether the antivirus setup causes the error message. Turn automatic SSL scanning off if possible.
- Update your OS and browser to the most recent version to ensure they support TLS 1.3.
If you run into an unknown error message, e.g. ERR_SSL_VERSION_OR_CIPHER_MISMATCH, don’t worry. Just read the message closely to identify the best solution. It’s likely that the error will occur again and again if you don’t use the best fix.
Leave a Reply