The “ERR_SSL_VERSION_OR_CIPHER_MISMATCH” error exists when you are trying to access a secure website. Nevertheless, the browser fails to create a secure connection. This error relates to the Secure Sockets Layer (SSL) and suggests that something is wrong with the SSL or the combination of protocols that are used to encrypt the connection.

This article lists the potential causes of this error and the effective solutions to deal with the “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”.

Content

Causes of ERR_SSL_VERSION_OR_CIPHER_MISMATCH

How to Fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH

As Website Administrators

As End Users

Conclusion

Causes of ERR_SSL_VERSION_OR_CIPHER_MISMATCH Error

The ERR_SSL_VERSION_OR_CIPHER_MISMATCH error prevents the secure transmission of data, causing issues for both site visitors and owners. It occurs when a site fails to develop a secure connection due to a mismatch of SSL versions or incapable Cipher Suites.

The error looks like as shown below:

Common causes of the error are as below:

Expired or Incorrect SSL Certificate

This certificate is a digital shield that locks and protects info shared between a website and its users, ensuring security against cyber threats. If the website’s SSL certificate is either expired or doesn’t match the website’s domain name, the browser will show this error.

Old or Incompatible SSL/TLS Protocols

If a website uses an old version of SSL or TLS, such as SSL 3.0 or TLS 1.0, modern browsers might not support it, causing this error.

Cache Issues or Browser Problems

Sometimes, the browser stores old SSL information that doesn’t match the current website settings, leading to this error.

Antivirus or Firewall Problems

Some antivirus or firewall software might block secure connections due to incorrect settings, causing this error.

Wrong Server or CDN Settings

If the server or content delivery network is not set up correctly with SSL, it can stop the browser from connecting properly.

Network Device Settings

Sometimes, firewalls may cause this issue by forcing the use of outdated SSL/TLS protocols or security settings.

How to Fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH

The ERR_SSL_VERSION_OR_CIPHER_MISMATCH error occurs when SSL / TLS protocols or cipher suite interconnects are not compatible. Whether you’re a website owner or a user-facing this issue, here’s how to fix this error:

As Website Administrators

Those who own the website or have administrative access to it will know that the error usually comes from the server itself. Here’s how to fix them.

Check SSL Certificate

An expired SSL certificate or an SSL certificate that is not correctly configured can cause this type of error. To fix this error, make sure your SSL certificate is issued from a reputed Certificate Authority and has not expired.

For example, evaluate the certificate status with free tools, SSL Labs’ SSL Test. In this interface, specify the particular website name, e.g., linuxgenie.net, and press the Submit button:

This tool provides information about your certificate, including whether it has expired, been configured incorrectly, or lacks intermediate certificates.

The output shows the summary of the website, including the Overall Rating, which is B. Furthermore, this tool provides a score of Cipher Strength, Key Exchange, Protocol Support, and Certificate between 1 to 100:

Ensure Server Supports TLS 1.2 or Higher Versions

Most browsers use TLS 1.2 or higher; ensure that your server is compatible with these versions. Avoid changing server settings to less secure, such as TLS 1.0 or 1.1. These older versions are no longer in use and cause more compatibility issues.

For instance, check the TLS versions in the Protocols section using the SSL Labs’ SSL Test tool:

All major web browsers now come with TLS 1.3 built-in and are turned on by default. If your browser is outdated, then, enable TLS 1.3 manually.

To enable the protocol in Google Chrome versions, follow the procedures below:

In the address bar, input chrome://flags and hit Enter. After that, type TLS in the search field and hit Enter. Finally, find the option TLS 1.3 Early Data and set it to Enabled:

After that, restart the Chrome browser and revisit the particular website that caused the error.

For Apache servers, the required configuration file is located in the /etc/apache2/sites-available/ directory, named default-ssl.conf.

Here’s how you can update the settings on Ubuntu:

Access your server through SSH and open the default-ssl.conf file with a text editor, (like Nano):

sudo nano /etc/apache2/sites-available/default-ssl.conf

Next, insert or modify the following line in the file. It disables old versions of TLS (1.0 and 1.1) and enables only TLS 1.2 and TLS 1.3:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

Save the file and restart the Apache services to apply the changes. Your server will now support TLS 1.3, and the error will be fixed.

Note: You need Apache version 2.4.36 or higher to support TLS 1.3.

Check SSL/TLS Certificate Validity

Suppose the certificate has expired or inaccurate information. In that case, you can renew or acquire a new SSL/TLS certificate from a trustworthy certificate authority like DigiCert or Let’s Encrypt.

For instance, use an SSL Labs’ SSL Test tool to check the certificate’s validity dates in Valid from and Valid until fields and ensure it is not expired:

Remove RC4 Cipher Suite

RC4 is a stream cipher used for SSL/TLS encryption. However, it is not considered secure, and it is not compatible with the latest browsers. If your website’s certificate includes it, most visitors will see an error since their browsers view the connection as unsafe.

Let’s use the same tool to determine whether your SSL certificate uses the RC4 cipher suite. Navigate to the Protocol Details portion and check the RC4 status. Your website’s RC4 status can be Yes (RC4 is in use) or No (RC4 is not used).

If RC4 is being used (Yes), edit the server (such as Apache web server) settings such as; you’ll need to open a specific file called default-ssl.conf using a text editor:

sudo nano /etc/apache2/sites-available/default-ssl.conf

Inside the default-ssl.conf file, there’s a line that controls which encryption methods are allowed. You need to add the below line that configures RC4 is not allowed:

SSLCipherSuite HIGH:!aNULL:!MD5:!RC4

The above line changes the server settings to disable support for SSL 3.0, TLS 1.0, and TLS 1.1. After you’ve made this change, you must restart your Apache server. It will make the server use the new settings you just implemented.

Look for Certificates that Have Mismatched Hostnames

Sometimes, users make mistakes when typing their domain names into the SSL certificate. A mismatch between the certificate and a domain, such as www.linuxgenie.com or linuxgenie.com. It will raise this error with the browser when trying to visit the website:

To fix it, ensure that the SSL certificate applied covers all variations of the domain name (for example, www and non-www). In addition, manage wildcard certificates or set up appropriate SAN (Subject Alternative Name) records in the certificate.

You can find the SAN under the Security tab within browser developer tools (like Chrome DevTools or Firefox Developer Tools). After that, inspect the certificate details of the website you’re visiting:

Change Cipher Suites

Make sure your server supports modern cipher suites. The recommended Cipher Suites:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

In the Cipher Suites section, you can verify whether the server supports modern cipher suites or not:

Improve Your CDN, Proxy Issue, or Reverse Proxy Issue

Poor configuration while using a CDN (for example, Cloudflare) or reverse proxy might result in SSL conflicts. The solution is to inspect the CDN settings related to SSL.

Ensure that the Encryption Mode of SSL/TLS is set to Full. If the origin server’s certificate is valid, this will fix the problem.

Renew / Reinstall SSL Certificate

A certificate that is misconfigured or damaged will need to be replaced or renewed. To do so, create a CSR (Certificate Signing Request) and follow the instructions from your hosting provider to reinstall the certificate.

Contact the Hosting Provider or the SSL Certificate Issuer

If everything that could be tried has been attempted, get in touch with your hosting service or the company that issued your SSL certificate.

To see if there’s a domain name issue with the certificate, right-click on the website and select “Inspect.” Then click on “View certificate” under the Security tab. The issued domain name will be displayed in the certificate information:

Fixing as End Users

If this error appears while attempting to access a website, here are some solutions you can take:

Update Your Browser

Older browsers may lack support for TLS 1.3. Therefore, check your other browsers; it may be the problem.

To fix the error, you can update your browsers to their most recent version. For example, in Google Chrome, click the corner three dots, then choose the Help option. It goes to the About Google Chrome and automatically checks for updates:

Clear SSL State

Cached SSL certificates can cause this error. To fix it, clear the SSL state from your browser.

In Windows, you can clear the SSL state to erase cached SSL certificates. To do this, open Windows, navigate to the Control Panel, choose Network and Internet, select Internet Properties, and then go to the Content tab. Lastly, select the Clear SSL State button:

Clear Browser Cache And Cookies

Caches and cookies can be problematic for SSL certificates. To prevent this issue, delete your browser’s cache and cookies before refreshing the website. Caches can conflict with the SSL certificate data.

In Chrome, select the three-dot menu located on the right, then> Delete browsing data, and finally select Browsing history, Cookies and other site data, and Cached images and files, then hit the Delete data button:

Check Date and Time Settings

If you configured your date and time incorrectly, it will block the SSL certificate validation. The solution is to check your system clock is correct.

For Windows users, right-click on the date/time that is displayed on your My taskbar> Adjust date/time > Click on Set time automatically toggle on the button:

If you are using MacOS, find System Preferences > Date & Time and click the Set date and time automatically button.

Disable QUIC Protocol (For Chrome Users)

You may experience SSL errors because QUIC is considered an experimental protocol.

To fix the error, turn QUIC off in Chrome. For this, go to the address bar and type in “chrome://flags/#enable-quic” Then, set it to Disabled. Finally, restart Chrome and relaunch the application:

Try a Different Browser or Device

If it still doesn’t work, the webpage may be corrupted on that specific browser or the network. Try the following:

• Open/Access the webpage using a different browser.
• To fix any hardware problems, access the webpage using another device or another network.

Check Your Antivirus or Firewall Settings

Some SSL connections might be affected by specific antivirus software and firewalls. The solution is to go into your antivirus settings and disable SSL scanning options.

For Windows users, here’s how you can temporarily turn off the antivirus and firewall:

Go to Settings > Privacy & Security > Windows Security. Then, select Virus & Threat Protection and hit Manage settings:

Turn off Real-time protection and select Yes to confirm:

Using A VPN

Some SSL errors may result from network constraints. A VPN can solve these issues by hiding the network location and removing the constraints placed on the website.

Bypass the Warning (Not Advisable)

You can access the site by ignoring the warning; however, you do so at your own risk, as it can endanger your data. Ignore the warning only if you’re completely sure the site is safe.

Website owners and their visitors can resolve the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error using these solutions.

Conclusion

The message “ERR_SSL_VERSION_OR_CIPHER_MISMATCH” will appear for many reasons, including users with out-of-date browsers, servers using the wrong configuration, hardware malfunction, etc. The best way to avoid this error again is to constantly update your browsers, ensure the server accepts new protocols, and issue valid SSL certificates. Using the above solutions allows both end-users and website administrators to fix the issue successfully. If your problems persist even after these solutions, reach out to your hosting service or SSL provider for more help.