Updated 10 hours ago
Before any encryption can happen, client and server must agree on how to encrypt. They need to pick a TLS version (1.2 or 1.3) and a cipher suite (the specific algorithms for encryption and authentication).
ERR_SSL_VERSION_OR_CIPHER_MISMATCH means they couldn't agree. The connection dies before it starts—not because anything is broken, but because they're speaking different languages.
The Handshake That Failed
Every TLS connection begins with negotiation. The client sends a list: "I speak TLS 1.2 and 1.3, and I know these cipher suites." The server picks one version and one cipher suite from that list.
This error appears when the intersection is empty. The server looks at the client's list, compares it to its own capabilities, and finds nothing in common.
Why This Happens Now
In March 2020, browsers stopped speaking the old dialects. Servers that hadn't learned the new ones went silent.
Chrome, Firefox, Safari, and Edge all dropped support for TLS 1.0 and 1.1 that month. These protocols had known weaknesses. The industry decided to stop using them.
Servers still configured for only TLS 1.0 or 1.1 became unreachable from any modern browser overnight. Many administrators discovered this the hard way.
The Usual Suspects
Server stuck on old TLS versions. The server only offers TLS 1.0 or 1.1. Modern browsers require 1.2 minimum. No overlap, no connection.
Cipher suite mismatch. Rarer, but possible. A server configured with only ECDHE cipher suites won't connect to a client that only supports RSA key exchange. Or a security-hardened client rejects everything the server offers.
Ancient OpenSSL. The server's TLS capabilities depend on its OpenSSL version. Pre-1.0.1 can't do TLS 1.2. Pre-1.1.1 can't do TLS 1.3. If openssl version shows 0.9.8 or 1.0.0, that's your problem.
Configuration accident. Someone disabled all cipher suites or TLS versions by mistake. The server offers nothing.
Diagnose It
Test with OpenSSL from any machine:
If both fail, the server doesn't support modern TLS.
Run SSL Labs (ssllabs.com/ssltest). It shows exactly which TLS versions and cipher suites the server supports, and flags configuration problems.
If Firefox connects but Chrome doesn't, the issue is cipher-specific. Different browsers have slightly different preferences.
Fix the Server
The fix is almost always server configuration. Enable TLS 1.2 and 1.3, disable 1.0 and 1.1, use modern cipher suites.
Nginx:
Apache:
Reload the server (not restart—reload is graceful). Test with multiple browsers. Verify with SSL Labs.
If the server's OpenSSL is ancient, configuration changes won't help. You need to update OpenSSL, which often means updating the entire operating system.
Client-Side Causes
Sometimes it's not the server:
Corporate proxies intercept HTTPS and enforce their own TLS requirements. The server is fine, but something in the middle is blocking the connection.
Antivirus HTTPS scanning can impose cipher restrictions.
Enterprise browser policies might require specific TLS versions.
Test from a different network to rule these out. If the same site works from your phone's mobile data but not your office WiFi, something on the corporate network is interfering.
The Right Configuration in 2025
For most websites:
- Enable TLS 1.2 and TLS 1.3
- Disable TLS 1.0 and 1.1
- Use ECDHE cipher suites with AES-GCM or ChaCha20-Poly1305
- Test with Chrome, Firefox, Safari, Edge, and mobile browsers
This works for 99.9% of users while maintaining strong security.
Mozilla's SSL Configuration Generator (ssl-config.mozilla.org) produces recommended configurations for different web servers. Use it instead of copying cipher strings from old blog posts.
Frequently Asked Questions About ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Was this page helpful?