Introduction
The error ERR_SSL_VERSION_OR_CIPHER_MISMATCH occurs when a user’s browser cannot establish a secure connection with a web server that uses HTTPS and SSL. The issue may lie in the server configuration or locally on a user’s computer.
Follow the easy solutions in this guide to fix the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
Solutions for Website Developers
As a developer or a webmaster, you might get a report that a user encountered this error when trying to access your website. The error may also appear in your Apache error logs.
The err_ssl_version_or_cipher_mismatch error usually occurs when there’s a problem with the SSL certificate or encryption modules. There are a few server-side actions you can take to resolve this issue.
Note: SSL stands for Secure Socket Layer, which refers to encryption security in your browser. Cipher refers to the code used to encrypt and decrypt the information.
Verify SSL Status of Website
Use a tool like the free Qualys SSL Labs Server Test. The tool examines the state of your certificates and encryption and generates a report.
This is a great place to start since the tool tests several different areas at once. If you have errors, the report highlights the sections that need attention.
Another way to check the SSL certificate status is to navigate to your website and click the padlock in the search bar.
On Google Chrome, it looks like this:
This method should be used only for a quick reference. We recommend using a dedicated tool, such as the Qualys SSL Labs tool we mentioned.
Check for Certificate Name Not Matching
An SSL certificate proves that your website is who it claims to be. The website name and the name on the certificate must match. Additionally, the certificate must come from a trusted provider.
There are a few reasons the names might not match, which can generate the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH:
- When the domain does not use SSL, but another domain with the same IP address uses SSL.
- The domain points to an old IP address it no longer uses. The old website doesn’t exist, but another website has the first domain’s old IP address.
- The site uses a CDN (Content Delivery Network) that does not support SSL.
- The site has a domain name alias that is not in the certificate.
Once you determine the source of the problem, you can resolve the issue easily.
Verify TLS Version
TLS stands for Transport Layer Security and is a security protocol that’s used to encrypt communications between websites. The current version (at the time this article was written) is TLS 1.3. If your site is running an older version of TLS, it may cause the CIPHER_MISMATCH error.
Most modern browsers are set to use the latest version of TLS (if available on the website). If your server is not configured to use TLS 1.3, consider updating to the latest protocol.
Verify RC4 Cipher Suite
RC4 Cipher is an old and simple tool for encrypting traffic. It has been found to have significant vulnerabilities.
Some organizations still use RC4 for legacy applications, but most modern browsers do not support it. If a website is configured to use RC4, an error may occur.
The best solution is to move the site from RC4 to TLS 1.3 protocols. If you cannot completely disable RC4, add the TLS 1.3 protocol so that modern browsers don’t trigger the err_ssl_version_or_cipher_mismatch error.
Manually Inspect Security Certificate
To manually inspect your SSL Certificate, open the browser, load your webpage, and follow these steps:
In Firefox:
- Right-click anywhere on the page.
- Click View Page Info.
- Select the Security tab.
- Click View Certificate.
In Chrome:
- Right-click anywhere on the page.
- Click Inspect.
- In the Inspection pane near the top, click the arrows >> to reveal more options.
- Click Security.
- Click View Certificate.
In Safari:
- Double-click the padlock icon in the upper-right section.
- In the window that appears, click Show Certificate > Details.
If the site you are checking is not secure and has no certificate, there will be no option to view the certificate.
Solutions for End Users
The err_ssl_version_or_cipher_mismatch error can appear due to a client-side issue. The reason can be an older version of operating systems or an outdated browser. Current versions of TLS protocols are incompatible with old browsers and operating systems.
To bypass the mismatch error, try the solutions we list below.
Connect with a Different Computer
The easiest method to check if only your computer has the issue loading a website is to try using a different computer. The safest bet is to try from a machine with a recent version of an operating system.
If you can load the website without getting the error, you can proceed with troubleshooting using the suggestions in this guide.
Delete Cache and Cookies on Your Browser
Clearing your browser’s cache and cookies can help with SSL certificate issues. Depending on the browser and the version you are using, the steps to find the section for clearing cache may be different.
The CTRL+SHIFT+DELETE hotkey combination works for most browsers. When the pop up for clearing history or cache appears, change the timeframe to All or Everything. If you check all the options, you will lose saved logins and all history, so you can uncheck those options if you want to.
Enable TLS 1.3 Version on Old Browsers
Recent versions of web browsers use TLS 1.3 by default. If you did not update your browser or do not want to, you can check the TLS version and enable 1.3.
In Firefox:
Open a new tab and type about:config in the address bar. Click the button to accept the risk and then type security.tls in the search bar.
Look for the security.tls.version.max option towards the bottom of the list. Set the value to 4 if it is not already set.
In Chrome:
Open a new tab and type chrome://flags in the address bar. Search for TLS using the search bar at the top. The results will include the TLS 1.3 downgrade hardening options.
Disable QUIC Protocol
Chrome has many security settings, and “Experimental QUIC Protocol” can be the cause of the err_ssl_version_or_cipher_mismatch error.
To disable the QUIC protocol in Chrome:
In the address bar type in chrome://flags. In the search bar at the top, enter QUIC. The search results should list “Experimental QUIC protocol.”
Change from Default to Disabled, restart Chrome, and try loading the website again.
Clear the SSL State on your Computer.
To clear the SSL state on your computer, go directly to the “Internet Properties” section. The quickest way in Windows 10 is to search for “Internet Properties” or “Internet Options” from the Start menu.
Navigate to the Content tab and click Clear SSL state.
The pop-up message “The SSL cache was successfully cleared” appears.
Some older versions of Chrome allow you to access Internet Properties and clear SSL state from the advanced settings menu.
Update or Change your Web Browser
Most modern browsers update automatically on restart. If your browser did not update automatically, you could manually update it.
To check the version on most popular browsers, navigate to the Help and About section.
In most cases, you can manually update the browser from here. Once the update completes, try loading the website again.
Conclusion
This guide listed the most common solutions for the err_ssl_version_or_cipher_mismatch error. The causes may be on the server side or the client side.
By following the steps listed in this guide, you should be able to find the cause of the error and fix it.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/tech/aiops/223917.html