sfw/fix
ERR_SSL_OBSOLETE_VERSION medium

NET::ERR_SSL_OBSOLETE_VERSION (TLS 1.0 / 1.1 deprecated)

The server negotiated TLS 1.0 or 1.1, which Chrome has hard-blocked since version 84, triggering a full-page warning.

What you see

Your connection is not fully secure
This site uses an outdated security configuration, which may expose your information.
NET::ERR_SSL_OBSOLETE_VERSION

What’s actually happening

Chrome shows an interstitial (it's a warning you can usually click through, not a hard block like revocation) saying the site uses an outdated security configuration. Google started flagging TLS 1.0/1.1 as "Not Secure" in Chrome 79 and removed support outright in Chrome 84, so this hits any server that can't negotiate at least TLS 1.2. It's purely server-side — the visitor's machine is fine.

Common causes

  • The web server / load balancer still has TLS 1.0 or 1.1 enabled as its highest mutually-supported protocol.
  • TLS 1.2/1.3 is disabled or unavailable because of an old OpenSSL build (pre-1.0.1 has no TLS 1.2) on a legacy OS.
  • An old appliance, embedded device admin panel, or legacy intranet app whose firmware tops out at TLS 1.1.
  • A misconfigured cipher/protocol policy that accidentally left only the deprecated versions enabled.
  • Termination at an old proxy/CDN tier that speaks 1.0/1.1 to the browser even if the origin supports newer.

How to fix it

  1. Confirm which protocols the server offersRun SSL Labs (ssllabs.com/ssltest) or `nmap --script ssl-enum-ciphers -p 443 example.com`. You'll see exactly which TLS versions are enabled. If 1.2/1.3 are absent or greyed, that's the fix target.
  2. Enable TLS 1.2 and 1.3, disable 1.0/1.1Nginx: `ssl_protocols TLSv1.2 TLSv1.3;`. Apache: `SSLProtocol -all +TLSv1.2 +TLSv1.3`. IIS: set the protocol keys under `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols` (or use IISCrypto). Reload the service after.
  3. Update the TLS library if 1.2 isn't even availableOn an old box, OpenSSL may be too old to offer TLS 1.2. Upgrade OpenSSL (1.0.1+ minimum, ideally 1.1.1+ for TLS 1.3) and the web server linked against it. On end-of-life OSes this often means upgrading the OS.
  4. Fix it at the edge if you can't touch the originPut the legacy app behind a modern reverse proxy or CDN (Cloudflare, nginx, an ALB) that terminates TLS 1.2/1.3 to the browser. The browser only ever sees the modern front, so the warning disappears.
  5. Adopt Mozilla's recommended configGenerate a known-good config from Mozilla's SSL Configuration Generator (the "Intermediate" profile) for your exact server and version instead of hand-rolling protocol lines. Re-test on SSL Labs and aim for an A.

Stop it recurring

Pin servers to TLS 1.2+ in your baseline config and re-scan with SSL Labs whenever you stand up a new host or appliance.

Related errors

ERR_SSL_VERSION_INTERFERENCE (TLS 1.3 handshake interference)

medium

Something in the network path is mangling Chrome's TLS 1.3 handshake, usually an antivirus HTTPS scanner, VPN, or buggy middlebox.

NET::ERR_CERT_AUTHORITY_INVALID (untrusted / self-signed CA)

high

Chrome can't build a trust path from the site's certificate to a root it trusts, so it blocks the page.

SSL Certificate Expired

critical

An expired SSL certificate triggers a full-page "Your connection is not private" warning that blocks every visitor.

Mixed Content Warning

medium

Mixed content is an HTTPS page loading some resources over insecure HTTP — it breaks the padlock and blocks assets.