SSL certificate errors are not a pretty sight. They can pop up out of nowhere and scare your visitors off. Even experienced webmasters may scramble for quick fixes to bring the website back live.
One of the most common SSL errors is the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. It occurs when the browser can’t establish a secure connection with the webserver. You may also encounter variations of this error such as Error 113 (net::err_ssl_version_or_cipher_mismatch): unknown error or The client and server don’t support a common SSL protocol version or cipher suite.
One of the main reasons for this error is certificate name mismatch. However, the issue may lie somewhere else. That’s why you should scan your SSL certificate with a professional tool to diagnose the exact culprit.
Thankfully, the guys from Qualys SSL Labs provide a free online service that performs a deep analysis of your SSL configuration and identifies the issue. Below you’ll find a few potential reasons that trigger this particular error:
Certificate Name Mismatch
The first thing you should check for is the Certificate Name Mismatch. It shows up in the following instances:
- The website doesn’t use SSL but shares an IP address with some other site that does.
- The website no longer exists, but the IP address points to a new or existing site with a different domain and SSL certificate
- The site uses a content delivery network (CDN) that doesn’t support SSL.
- The domain name alias is for a website whose name is different, but the alias was not included in the certificate.
Old TLS version still in use
For the best SSL security and performance, you should use the TLS 1.2 or TLS 1.3 protocols. Most of the sites run on the TLS 1.2 version, which has been around for over a decade. But as the support for TLS 1.3 grows, you can also migrate to the latest version. We’ve written a quick overview of TLS 1.3, with steps on how to enable it on your server.
Deprecated RC4 Cipher Suite
According to Chrome’s documentation, a possible cause of ERR_SSL_VERSION_OR_CIPHER_MISMATCH is a now-deprecated RC4 cipher suite. It was removed in Chrome version 48 but may still appear in larger enterprise systems, which notably take longer to upgrade. You should check your server configuration and ensure that it’s enabled with a different cipher suite.
The SSL Slate on Your Computer
Sometimes, you may face this error just on your device, while the site works just fine on other computers. If that’s the issue, start by clearing your SSL state in Chrome. The SSL slate stores a cache of SSL certificates, and you can empty it just like you’d clear your browser’s cache.
- Click the Google Chrome Settings icon, and then click Settings.
- Click Show advanced settings.
- Under Network, click Change proxy settings. The Internet Properties dialog box will appear.
- Click the Content tab.
- Click “Clear SSL state”, and then click OK.
- Restart Chrome.
Chrome’s QUIC Protocol
QUIC is a new Google Protocol that makes the Web faster and more efficient. Unfortunately, sometimes it can cause unexpected errors, including the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. To ensure that QUIC isn’t the issue, try to disable it for a while and see what happens.
- Type chrome://flags#enable-quic in the Chrome browser’s address bar and click enter.
- Under the Experimental QUIC Protocol option, change it from Default to Disabled.
- Restart Chrome. If you still see the error, we recommend you enable QUIC back, as something else causes the issue.
If you checked every step from above and the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error persists, disable your antivirus program. Some antivirus programs block certain websites from loading and you may see the SSL error as a result.
If you find any inaccuracies or have details to add to this SSL tutorial, please send us your feedback at [email protected] Your input would be greatly appreciated! Thank you.