How to Fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH

May 30, 2024

Home » SysAdmin » How to Fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Introduction

The ERR_SSL_VERSION_OR_CIPHER_MISMATCH error prevents visitors from accessing a website and may indicate an SSL certificate issue.

Whether you manage a website or visit one, resolving this SSL error is essential for maintaining a consistent and seamless online experience.

Learn how to fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH and ensure your website or the site you are visiting is secure and accessible.

What Is ERR_SSL_VERSION_OR_CIPHER_MISMATCH?

The ERR_SSL_VERSION_OR_CIPHER_MISMATCH error is displayed by the web browser when the SSL/TLS handshake between the user's browser and the server hosting the website fails.

This indicates that the browser and the server are not compatible because they do not support a common SSL protocol version or cipher suite.

An example of the SSL, cypher mismatch error.

As a result, a secure connection between the browser and the web server cannot be established.

What Causes ERR_SSL_VERSION_OR_CIPHER_MISMATCH?

Potential causes of the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error include:

An invalid SSL certificate. The certificate may be expired or contain incorrect or incomplete domain names, IP addresses, or certificate chains.
Server configuration issues. The server might be configured to support only older, deprecated SSL and TLS versions or outdated cipher suites, which are not supported by modern browsers.
Outdated client software. Outdated browsers or operating systems lack support for modern SSL/TLS protocols and cipher suites required by the server.
Network device settings. Devices like load balancers or firewalls can trigger this error by enforcing obsolete SSL/TLS protocols or cipher suites.

Fixing this mismatch is a priority for website owners. It poses a security risk and exposes systems and website visitors to potential cyber attacks.

How to Fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH as Website Owner

As a developer or webmaster, you might receive reports of users encountering this error while trying to access your website. The error may also appear in the Apache error logs.

There are several free online tools that can help you examine the state of your certificates and encryption. They can perform an analysis of any public webserver's SSL configuration.

Popular SSL verification tools include:

These tools test various areas and check if the SSL certificate is installed correctly and securely. You can simply enter your domain name and receive quick feedback.

If errors are found, reports will highlight sections that need attention, including issues with weak cipher suites, expired certificates, or protocol mismatches.

Checking SSL certificate in Qualys SSL checker tool.

Depending on the issue, you may need to:

Renew or replace SSL certificates.
Update server SSL/TLS configurations to meet modern standards.
Enable all recommended cryptographic protocols.

Note: Most resolution steps require assistance from your hosting provider, especially if you are not familiar with server management. Contact them for support in updating your configurations.

1. Check Certificate Validity

Use an SSL verification tool to confirm the validity dates on the certificate and ensure it is current. If the certificate details are incorrect or the certificate has expired, renew or purchase a new SSL/TLS certificate from a reputable certificate authority, such as DigiCert or Let's Encrypt.

SSL certificate validity dates displayed in SSL checker tool.

Install the new certificate on your server, and then use the same verification tool to confirm that the installation was successful and the certificate is functioning correctly.

2. Certificate Name Does Not Match

The website name and the name on the certificate must match. Discrepancies can occur when:

The domain points to an IP address it no longer uses, and this IP is now associated with another website.
The site has a domain name alias not included in the certificate.
Your website uses a CDN (Content Delivery Network), and the CDN’s configuration does not correctly include the domain under its SSL/TLS certificate.

Use an SSL verification tool to check if domain names on the certificate match the URL accessed in the browser. If they do not match, update the certificate to include all relevant domain variants and aliases.

If you host multiple domains on a single IP address, the hosting configuration must support SNI (Server Name Indication). This is also essential in shared hosting environments.

3. Update TLS Version

Modern browsers are configured to use the latest TLS 1.3 protocol by default. If your server does not support this version, you may encounter the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.

To enable TLS 1.3, update server configuration files directly or adjust settings through your hosting provider's control panel.

On Apache servers, the relevant ssl.conf file is usually located in the /etc/apache2/mods-enabled/ directory.

Note: Apache version 2.4.36 or newer is required for TLS 1.3 support.

The following example shows how to edit the ssl.conf file in Ubuntu 22.04.

Log into your server via SSH and use a command line text editor, like nano, to modify the file:

sudo nano /etc/apache2/mods-enabled/ssl.conf

Add or update the following directive in the configuration file:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

Disabling old TLS versions in ssl.conf file.

This directive disables older (TLS 1.0 and TLS 1.1) versions and allows only TLS 1.2 and TLS 1.3.

After making these changes, save the file and restart Apache to apply the new configuration.

4. Disable RC4 Cipher Suite

RC4 is an outdated and insecure encryption algorithm. It was once commonly used to encrypt traffic, and some organizations still use it for legacy applications. However, most modern browsers do not support it.

If your server still uses RC4, update its configuration to disable RC4 and enable stronger cipher suites that comply with TLS 1.3 standards. To exclude RC4, you can either adjust the cipher suite settings in the SSL/TLS section of your hosting provider's control panel or directly modify your server's configuration file.

To disable RC4 in the Apache ssl.conf file, access your server and open the file using a text editor:

sudo nano /etc/apache2/mods-enabled/ssl.conf

Locate the line that defines the SSLCipherSuite directive and add :!RC4 to explicitly exclude RC4. For example, the directive might look like this:

SSLCipherSuite HIGH:!aNULL:!MD5:!RC4

This configuration ensures that RC4 is not used while allowing other strong ciphers.

Changing the SSL cipher suite in Apache ssl.conf file.

Restart the Apache server to apply the changes.

How to Fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH as Visitor

The ERR_SSL_VERSION_OR_CIPHER_MISMATCH error may indicate that the browser does not support server SSL/TLS standards. Refer to the sections below for available troubleshooting steps.

1. Connect with a Different Device

To determine if the issue is specific to your computer, try accessing the website from another device, preferably one with a different or more recent operating system.

If the website loads without an error on another device, begin troubleshooting on your original device using the suggestions below.

2. Clear Cache and Cookies on Your Browser

Clearing the browser's cache and cookies can sometimes resolve issues related to SSL certificates. Most browsers allow quick access to clearing options via hotkeys.

On Windows and Linux systems, pressing CTRL+SHIFT+DELETE opens the cache-clearing options. In the dialog box, you can select the timeframe for which you want to clear data. For example, select Everything to clear the cache completely.

Clear cache to fix SSL certificate error in browser.

Clearing all checkboxes will remove saved logins, browsing history, and other data. If you want to keep sensitive data like saved passwords, ensure these options are unchecked.

Note: Use the Command+Option+E shortcut to clear the cache in Safari. Be careful when using this option, as the shortcut clears the cache immediately without opening a dialog box.

3. Update or Change Web Browser

Modern browsers are designed to update automatically on restart. If your browser did not update, you can manually initiate an update.

To check and update your browser's version, open the Help menu and navigate to the About section.

Updating Firefox through About section in order to fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.

Once the update is complete, try accessing the website again to see if the issue has been resolved.

Sometimes, the issue might be specific to the browser's implementation of SSL/TLS protocols. If updating doesn't resolve the issue, try using a different browser to bypass the error, as the alternate browser might handle protocols differently.

4. Clear SSL State

Clearing the SSL state removes outdated or corrupted cache entries that contain invalid SSL information. The browser can start a new SSL connection negotiation without previous errors affecting the process.

Note: Browsers and OSes are becoming increasingly integrated, and the need to manually clear SSL states is rare. If you encounter SSL errors frequently, consider updating your browser.

For example, to clear the SSL state on Windows:

1. Search for the Internet Options app in the Windows Start menu.

2. Navigate to the Content tab and click Clear SSL state.

3. A message stating The SSL cache was successfully cleared confirms the action was completed.

After clearing the SSL state, try reloading the page that caused the error to determine if the issue has been resolved.

How to Bypass ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Bypassing the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error as a visitor is a significant security risk. If you are aware of the risks and need temporary access to a site you trust, there are a few ways you could bypass this error.

Note: A better course of action is to contact the website's administrator to report the issue so they can update their SSL/TLS configurations.

1. Use a VPN

SSL/TLS restrictions imposed by your local network or ISP can sometimes trigger errors due to security concerns. A VPN allows you to route connections through a server that is not subject to these restrictions and bypass them.

2. Disable SSL/TLS Protocol Filtering in Antivirus or Security Software

Antiviruses and security programs include features that filter or scan SSL/TLS protocols. You can temporarily disable these features and check if it resolves the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.

However, keep in mind that these filters are designed to protect your system. Disabling them can expose sensitive data to malicious attacks.

3. Ignore the Warning (Not Recommended)

Some browsers allow users to proceed to a website despite displaying a security warning about an invalid SSL certificate. To bypass the warning, visitors can select Advanced and then Proceed to website if they trust the website and have independently confirmed its safety.

Conclusion

You have covered the most common causes and solutions for the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error, addressing potential issues on both the server and client sides.

Additionally, learn about resolving other SSL errors, such as NET::ERR_CERT_AUTHORITY_INVALID and ERR_SSL_PROTOCOL_ERROR.

Was this article helpful?

YesNo

X (Twitter) Facebook LinkedIn Email

Vladimir Kaplarevic

Vladimir is a resident Tech Writer at phoenixNAP. He has more than 7 years of experience in implementing e-commerce and online payment solutions with various global IT services providers. His articles aim to instill a passion for innovative technologies in others by providing practical advice and using an engaging writing style.

Next you should read