ERR_SSL_PROTOCOL_ERROR indicates that the browser attempted to establish a TLS connection but the protocol-level negotiation failed. This is a broad error that can be triggered by many different underlying problems: the server might not support any TLS version the browser offers, the server's SSL configuration might be corrupt, there could be a network device interfering with the TLS handshake, or the server might be sending HTTP on a port that expects HTTPS. Unlike more specific certificate errors, this error points to a fundamental failure in the TLS protocol exchange before any certificate validation occurs.
Modern browsers have dropped support for TLS 1.0 and TLS 1.1. If the server only supports these older protocols and not TLS 1.2 or 1.3, the browser and server cannot agree on a protocol version and the handshake fails.
The server's SSL configuration files may reference missing certificate files, have syntax errors, or specify invalid cipher suites. This causes the server to abort the handshake or send malformed responses.
If the server is configured to serve plain HTTP on port 443 instead of HTTPS, the browser will attempt a TLS handshake and receive an HTTP response, which it cannot interpret as TLS, causing a protocol error.
Attempt a TLS handshake to the server to see what protocol versions and ciphers it supports. If the connection fails immediately, the server may not have TLS properly configured on that port.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
Test specific TLS versions to identify which ones the server supports. Modern servers should support TLS 1.2 and TLS 1.3 at minimum.
openssl s_client -connect yourdomain.com:443 -tls1_2 2>&1 | head -5 && openssl s_client -connect yourdomain.com:443 -tls1_3 2>&1 | head -5
Confirm that port 443 is open and actually serving TLS content, not plain HTTP. A port scanner can verify the port is listening.
Scan PortsCheck your Nginx or Apache SSL configuration for syntax errors, missing certificate files, or deprecated protocol settings. Use the Mozilla SSL Configuration Generator for recommended settings.
nginx -t && cat /etc/nginx/sites-enabled/yourdomain.conf | grep -A5 ssl_
Corporate firewalls, antivirus software, or CDN misconfigurations can interfere with TLS handshakes. Try accessing the site from a different network to rule out network-level interference.
The browser and server could not agree on a supported SSL/TLS version or cipher suite.
The TLS handshake could not be completed because the client and server failed to negotiate acceptable security parameters.
The TLS protocol version offered by the client is not supported by the server.