ERR_SSL_VERSION_OR_CIPHER_MISMATCH appears in Chrome when your browser and the server cannot agree on a compatible SSL/TLS protocol version or encryption cipher suite during the TLS handshake. Chrome requires a minimum of TLS 1.2 and only accepts modern cipher suites. If the server offers only TLS 1.0, TLS 1.1, or obsolete ciphers like RC4 or 3DES, the handshake fails and Chrome refuses to connect to protect your data from known vulnerabilities in those older protocols.
This error is different from most browser errors because it is usually a server-side problem, not a client-side one. Chrome’s TLS requirements are non-negotiable: it will not downgrade to an insecure protocol just to load a page. The fix path depends on whether you manage the server (in which case you update the TLS configuration) or you are a visitor (in which case you have limited options and the site’s administrator needs to act).
What Causes ERR_SSL_VERSION_OR_CIPHER_MISMATCH
The most common cause is a server running an outdated TLS configuration. TLS 1.0 was deprecated by the IETF in 2021 (RFC 8996), and TLS 1.1 was deprecated at the same time. Chrome 84 dropped support for TLS 1.0 and 1.1 in 2020. Any server that only supports these versions triggers ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Chrome, Edge, Firefox, and Safari, as all major browsers enforce the same minimum version.
SSL certificate issues are a second cause. Certificates signed with SHA-1 (deprecated since 2017) or using RSA keys shorter than 2048 bits trigger compatibility errors in modern browsers. Certificates issued by intermediate certificate authorities that are not properly chained can also cause mismatch errors, even if the certificate itself is valid and the TLS version is current.
CDN and proxy SSL termination is a third, less obvious cause. When a content delivery network like Cloudflare, Akamai, or Fastly sits in front of a server, it terminates the SSL connection from the client and makes a separate connection to the origin server. If the CDN’s edge configuration or the origin server’s accepted cipher suites conflict, the handshake between the CDN and origin can fail, which propagates as an SSL error to the end user.
Update Chrome to the Latest Version
Go to chrome://settings/help and install any pending updates. Chrome 124 and later enforce TLS 1.2 as a hard minimum and have updated cipher suite priorities. An outdated Chrome version may be missing support for newer cipher suites that a recently updated server now requires, or may have bugs in its TLS negotiation logic that newer versions fix.
Chrome updates automatically on most systems, but the update may be waiting for a browser restart. If Chrome shows a colored arrow icon in the top-right corner (orange for 2+ days, red for 7+ days), you have a pending update. Click the three-dot menu, select Help, then About Google Chrome to install it immediately.
Clear the SSL State Cache
Windows stores SSL session cache data that Chrome uses to speed up repeated connections to the same server. If this cache contains a session negotiated with an old TLS version or expired parameters, it causes ERR_SSL_VERSION_OR_CIPHER_MISMATCH even after the server’s TLS configuration is fixed. Open the Start menu and search for Internet Options. In the Internet Properties dialog, go to the Content tab and click Clear SSL state. Click OK and restart Chrome.
Also clear Chrome’s own internal SSL state. Go to chrome://net-internals/#hsts and in the Delete domain security policies section, enter the affected domain and click Delete. HSTS (HTTP Strict Transport Security) pinning can force Chrome to use specific TLS parameters that may no longer be compatible with the server’s current configuration.
Check the Server’s SSL Configuration
If you manage the website showing ERR_SSL_VERSION_OR_CIPHER_MISMATCH, use ssllabs.com/ssltest to run a free server SSL analysis. Enter your domain and wait for the report. The report shows your server’s supported TLS versions, cipher suites, certificate details, and an overall grade (A+ to F). An F grade indicates critical issues causing browser compatibility failures.
The most common fixes for server administrators: enable TLS 1.2 and TLS 1.3, disable TLS 1.0 and 1.1, remove RC4 and 3DES cipher suites from the server’s accepted list, and ensure your SSL certificate uses SHA-256 signing with an RSA key of at least 2048 bits or an ECDSA key of 256 bits. For Nginx, update your ssl_protocols and ssl_ciphers directives. For Apache, update the SSLProtocol and SSLCipherSuite directives in your VirtualHost configuration.
Disable QUIC Protocol
Chrome’s QUIC protocol (HTTP/3 over UDP) uses a custom TLS-based encryption layer that some server and firewall configurations handle incorrectly, producing what appears as a cipher mismatch. Navigate to chrome://flags/#enable-quic, set Experimental QUIC protocol to Disabled, and restart Chrome. This forces Chrome to use standard TLS over TCP for all connections and eliminates QUIC-related compatibility issues.
Try a Different Network
Corporate firewalls and some ISPs perform SSL inspection by intercepting your HTTPS connections and re-encrypting them with a different certificate. When this interception equipment uses outdated TLS configurations itself, it can produce ERR_SSL_VERSION_OR_CIPHER_MISMATCH between the inspection appliance and Chrome. Test the same URL on mobile data or a personal VPN. If it loads on a different network, your local network’s SSL inspection is the cause.
This is particularly common on university networks, corporate environments, and public WiFi that uses security appliances from vendors like Forcepoint, Palo Alto Networks, or Cisco Umbrella. If you cannot change the network configuration, using a VPN that handles SSL independently bypasses the intercepting appliance.
Check for Wildcard or SNI Certificate Issues
Server Name Indication (SNI) is the TLS extension that allows one server to host multiple SSL certificates for multiple domains on the same IP address. If the server’s SNI configuration is broken or the hosting environment does not properly serve the correct certificate for your specific domain (common on shared hosting), Chrome cannot match the presented certificate to the requested domain, which can manifest as a cipher or version mismatch error.
To check, use the command openssl s_client -connect yourdomain.com:443 -servername yourdomain.com from a machine with OpenSSL installed. The output shows the exact TLS version, cipher suite, and certificate being served. Compare the cipher suite against Chrome’s supported list, which is documented in the Chromium source code and updated with each major Chrome release.
Frequently Asked Questions
Why does ERR_SSL_VERSION_OR_CIPHER_MISMATCH happen on some sites and not others?
Each website runs its own TLS configuration independently. Sites that trigger ERR_SSL_VERSION_OR_CIPHER_MISMATCH have not updated their server’s TLS settings to meet Chrome’s minimum requirements (TLS 1.2, modern cipher suites). Well-maintained sites running current server software with updated TLS configurations work fine. The error is site-specific because it reflects that site’s configuration choices, not your browser or network.
Can I force Chrome to accept old TLS versions?
No. Chrome permanently removed TLS 1.0 and 1.1 support in Chrome 84 (released 2020) and there is no flag or setting to re-enable them. This is a security decision: TLS 1.0 and 1.1 are vulnerable to POODLE, BEAST, and DROWN attacks. The correct fix is for the server administrator to update the TLS configuration. If you must access a site with old TLS for testing purposes, use a specialized browser like Firefox’s Extended Support Release with its TLS version override capability.
Does ERR_SSL_VERSION_OR_CIPHER_MISMATCH mean the site is dangerous?
It means the site’s SSL configuration is outdated, which is a security risk. Older TLS versions and weak cipher suites are vulnerable to known attacks that can expose your data in transit. Chrome refuses the connection to protect you. Sites with this error should not be accessed for anything involving login credentials, payment information, or personal data until the server administrator updates the TLS configuration to current standards.
How do I fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH on my own server?
Run your domain through ssllabs.com/ssltest to identify the specific issues. For Nginx: set ssl_protocols to TLSv1.2 TLSv1.3, set ssl_ciphers to a Mozilla-recommended modern cipher string, and run nginx -t before reloading. For Apache: set SSLProtocol to -All +TLSv1.2 +TLSv1.3 and update SSLCipherSuite to remove RC4 and 3DES. Restart the web server and retest with SSL Labs to confirm you achieve an A or A+ grade.
For SSL errors caused by connection resets rather than TLS mismatches, the ERR_CONNECTION_RESET guide explains how antivirus SSL inspection can terminate connections. If QUIC-related SSL errors persist after disabling the flag, the ERR_QUIC_PROTOCOL_ERROR article covers QUIC-specific SSL failures. For connection timeout errors that occur before SSL negotiation, see the ERR_TIMED_OUT guide.
