ERR_SSL_VERSION_OR_CIPHER_MISMATCH means the TLS handshake failed because the browser and server could not find a common protocol version or cipher suite to use for encryption. During the ClientHello phase of the TLS handshake, the browser sends a list of supported protocol versions and cipher suites. The server must select one that it also supports. If there is no overlap, the handshake fails. This typically happens when the server is configured with only outdated ciphers that modern browsers have removed, or when the server only supports an old TLS version that the browser no longer allows.
The server is configured with cipher suites like RC4, 3DES, or export-grade ciphers that browsers have removed for security reasons. Modern browsers require AES-GCM, ChaCha20, or similar strong ciphers.
The server only supports TLS 1.0 or TLS 1.1, which Chrome, Firefox, Edge, and Safari have all disabled by default. The server must support TLS 1.2 or TLS 1.3 for modern browsers to connect.
The server has an RSA certificate but only ECDSA cipher suites enabled, or vice versa. The cipher suite must match the type of key in the server's certificate.
Use nmap's ssl-enum-ciphers script to see exactly which TLS versions and cipher suites the server supports. This reveals whether the server has any ciphers that modern browsers accept.
nmap --script ssl-enum-ciphers -p 443 yourdomain.com
Attempt connections with TLS 1.2 and TLS 1.3 to identify which versions the server accepts. If both fail, the server likely only supports deprecated versions.
openssl s_client -connect yourdomain.com:443 -tls1_2 -cipher 'ECDHE+AESGCM' 2>&1 | head -10
Use the Mozilla SSL Configuration Generator (ssl-config.mozilla.org) to generate a modern, secure SSL configuration for your web server. Apply the Intermediate or Modern profile.
# Nginx example - add to server block: ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
Before investigating cipher mismatches, confirm that the HTTPS port is open and reachable from the internet.
Scan PortsThe browser could not establish a secure connection because the SSL/TLS protocol negotiation failed.
The TLS handshake could not be completed because the client and server failed to negotiate acceptable security parameters.
The server rejected the cipher suites offered by the client because they do not meet minimum security requirements.
The TLS protocol version offered by the client is not supported by the server.