The protocol_version alert (TLS alert code 70) is sent when the server does not support the TLS protocol version that the client attempted to negotiate. In TLS 1.2, this happens when the client's ClientHello specifies a version that the server considers too old or not recognized. In TLS 1.3, the supported_versions extension is used instead, and a server that only supports TLS 1.3 will reject clients that only offer TLS 1.2 or earlier. This alert is becoming more common as servers phase out support for TLS 1.0 and 1.1, and as clients drop SSLv3 and older protocols.
The client's TLS library only supports TLS 1.0 or TLS 1.1, and the server requires TLS 1.2 or higher. This happens with old operating systems, embedded devices, or legacy applications that have not been updated.
Some servers are configured to only accept TLS 1.3 connections. Clients that do not support TLS 1.3 (older versions of curl, Java 8 without patches, Python 2.x) will receive this alert.
The server's TLS configuration accidentally excludes commonly needed protocol versions. For example, setting ssl_protocols to only TLSv1.3 in Nginx when many clients still require TLS 1.2.
Try connecting with each TLS version individually to determine which ones the server accepts and which ones it rejects.
echo | openssl s_client -connect yourdomain.com:443 -tls1_2 2>&1 | head -5 && echo '---' && echo | openssl s_client -connect yourdomain.com:443 -tls1_3 2>&1 | head -5
Configure the server to support both TLS 1.2 and TLS 1.3 for maximum compatibility. This is the recommended configuration for most production servers.
# Nginx: ssl_protocols TLSv1.2 TLSv1.3; # Apache: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
If the client is using an outdated TLS library, update it to a version that supports TLS 1.2 or 1.3. For programming languages, update the runtime (Java, Python, Node.js, etc.) to a recent version.
openssl version
Verify port 443 is open and the server is reachable before investigating protocol version issues.
Scan PortsThe browser and server could not agree on a supported SSL/TLS version or cipher suite.
The browser could not establish a secure connection because the SSL/TLS protocol negotiation failed.
The TLS handshake could not be completed because the client and server failed to negotiate acceptable security parameters.
The server rejected the cipher suites offered by the client because they do not meet minimum security requirements.