sfw/fix
ERR_SSL_VERSION_OR_CIPHER_MISMATCH high

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

The TLS handshake dies because client and server share no protocol version or cipher suite in common.

What you see

This site can’t provide a secure connection
example.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

What’s actually happening

The connection never reaches the application — it fails during the handshake, so you get an error page instead of a slow or broken site. Firefox shows the same problem as SSL_ERROR_NO_CYPHER_OVERLAP. It's consistent across reloads and private windows. Often one browser or one machine works while an older one fails, which is the tell that protocol/cipher negotiation is the issue rather than the cert.

Common causes

  • Server only offers TLS 1.0/1.1 (or SSLv3), which current Chrome and Firefox refuse outright — they require TLS 1.2 or 1.3.
  • Server's cipher list contains only suites the browser dropped (e.g. RC4, 3DES, or non-AEAD ciphers), leaving zero overlap in the ServerHello.
  • SNI isn't being sent or honored, so the server falls back to a default vhost with a different (incompatible) TLS config.
  • A firewall, TLS-inspecting proxy, or old load balancer is terminating/rewriting the handshake and stripping modern parameters.
  • Misconfigured server (e.g. ssl_protocols set too narrowly in Nginx, or an outdated OpenSSL build) advertising an empty or stale cipher set.

How to fix it

  1. See exactly what the server negotiatesopenssl s_client -connect example.com:443 -tls1_2 and again with -tls1_3. If both report 'no protocols available' or handshake failure, the server isn't offering anything modern. nmap --script ssl-enum-ciphers -p 443 example.com prints the full supported version/cipher matrix.
  2. Enable TLS 1.2 and 1.3 on the serverIn Nginx: ssl_protocols TLSv1.2 TLSv1.3;. In Apache: SSLProtocol -all +TLSv1.2 +TLSv1.3. Reload and retest. This is the fix in the large majority of cases.
  3. Set a modern cipher suiteUse the Mozilla SSL Configuration Generator (intermediate profile) to produce a known-good ssl_ciphers line, then reload. Avoid hand-picking ciphers — that's how the empty-overlap state happens.
  4. Rule out a middleboxIf the server config looks correct but clients still fail, test from a network without the corporate proxy/firewall, or pull a capture (tcpdump) to see whether the ClientHello/ServerHello are being altered in flight.
  5. Update the TLS stackAn ancient OpenSSL on the server can't speak TLS 1.3 at all. Patch the OS/OpenSSL package, restart the service, and confirm with openssl version.

Stop it recurring

Pin server config to TLS 1.2+ with a Mozilla intermediate cipher list and re-run an SSL Labs / testssl.sh scan after every infra change.

Related errors

NET::ERR_CERT_COMMON_NAME_INVALID

high

Chrome blocks the page because the hostname you typed isn't in the certificate's Subject Alternative Name list.

SSL Certificate Expired

critical

An expired SSL certificate triggers a full-page "Your connection is not private" warning that blocks every visitor.

Mixed Content Warning

medium

Mixed content is an HTTPS page loading some resources over insecure HTTP — it breaks the padlock and blocks assets.

NET::ERR_CERT_AUTHORITY_INVALID

critical

The browser doesn't trust who issued the certificate — usually a missing intermediate cert or a self-signed one, not an expired one.