You type in a website address, press Enter, and instead of the page loading, Chrome throws up a red warning: “This site can’t provide a secure connection.” The error code reads ERR_SSL_VERSION_OR_CIPHER_MISMATCH, and the page refuses to load.
The ERR_SSL_VERSION_OR_CIPHER_MISMATCH error occurs when your browser and the website’s server are unable to agree on how to encrypt the connection. They attempt to perform a “handshake” — but the handshake fails because one of the parties is using outdated or incompatible security settings.
The good news is that fixing most problems takes less than five minutes and requires no technical knowledge. This guide covers solutions for every problem, for both visitors and website owners.
Quick Checks — Try These First
Open the site in a different browser (Firefox, Edge) to confirm if it’s browser-specific error.
Clear your browser cache and cookies using Ctrl + Shift + Delete.
Try accessing the site on mobile data — if it loads, your network or firewall is blocking it.
Update Chrome or your browser to the latest version — outdated browsers drop TLS support.
Temporarily disable your antivirus or firewall and try loading the site again.
If you manage the site — run a free SSL check at ssllabs.com/ssltest before doing anything else.
What is ERR_SSL_VERSION_OR_CIPHER_MISMATCH?
Definition: ERR_SSL_VERSION_OR_CIPHER_MISMATCH is a browser error that appears when the SSL/TLS handshake between your browser and a web server fails. It means neither side supports a common encryption protocol version — so no secure connection can be established, and the page is blocked entirely.
Every time you visit an HTTPS website, your browser and the server go through a quick negotiation — called the TLS handshake — to agree on an encryption method.
Think of it like two people trying to speak a shared language. If your browser only speaks modern TLS 1.3 and the server only supports old TLS 1.0, they cannot communicate, and this error is the result.
Why Does This Happen?
- The server is running an outdated TLS version (SSL 3.0, TLS 1.0, or TLS 1.1), which is no longer supported by modern browsers.
- SSL certificate name mismatch — the certificate was issued for a different domain than the one you are currently visiting.
- The SSL certificate installed on the server has either expired or is invalid.
- The server is still utilizing the RC4 cipher suite — which was removed from Chrome version 48 and is no longer in use.
- CDN error — the SSL certificate for Cloudflare or another CDN is either pending, inactive, or has expired.
- The SSL state cache in your browser has become corrupted, retaining outdated session parameters.
- QUIC protocol conflict — Chrome’s experimental QUIC feature is conflicting with certain server or firewall configurations.
- Antivirus software or a corporate firewall is performing SSL inspection and interfering with the TLS handshake.
Step By Step Fixes
1. Clear the SSL State in Chrome
Chrome caches SSL session data to load sites faster. If this cache contains outdated or expired data, it results in a mismatch error. Clearing it forces Chrome to re-establish the connection from scratch.
- Press Windows + S → search for Internet Options → open it
- Click the Content tab
- Click Clear SSL state
- Click OK, then fully close and reopen Chrome
- Reload the page again
2. Disable the QUIC Protocol in Chrome
Chrome’s QUIC protocol uses UDP instead of TCP for encrypted connections. Some firewalls and server configurations handle QUIC incorrectly, which causes the cipher mismatch error on specific sites.
- Open a new Chrome tab and type this in the address bar:
chrome://flags/#enable-quic- Find the Experimental QUIC Protocol setting
- Change the dropdown from Default to Disabled
- Click Relaunch at the bottom of the page
- Try loading the site again
Warning: If this does not resolve the issue, please re-enable QUIC later—keeping it disabled permanently may slightly reduce browsing speeds on supported sites.
3. Clear Browser Cache and Cookies
A corrupted or outdated browser cache can store bad SSL data for a site. Clearing it forces Chrome to fetch fresh certificate information on the next visit.
- Press Ctrl + Shift + Delete in Chrome
- Set time range to All time
- Check Cached images and files and Cookies and other site data
- Click Clear data
- Close and reopen Chrome, then reload the site
4. Flush DNS Cache
An outdated DNS cache can direct your browser to an incorrect IP address—one that hosts a different SSL certificate. Flushing the DNS initiates a fresh lookup and often resolves site-specific SSL errors.
- Press Windows + S → type cmd → open Command Prompt
- Type the command below and press Enter
ipconfig /flushdns- Wait for the “Successfully flushed” confirmation message
- Reload the site in Chrome
5. Disable Antivirus SSL Scanning / Firewall
Many antivirus software and firewalls perform “SSL inspection” — they intercept and re-encrypt HTTPS traffic. This interference can break the TLS handshake and trigger the cipher mismatch error.
- Open your antivirus settings (Avast, AVG, Kaspersky, etc.)
- Find a setting labelled Web Shield, HTTPS Scanning, or SSL Inspection
- Temporarily disable it
- Reload the site — if it loads, the antivirus was the cause
- Add the site to your antivirus whitelist/exclusion list as a permanent fix
Warning: Do not permanently disable antivirus protection. Add the specific trusted site to the exceptions list instead.
6. Try a Different DNS Server
Your ISP’s DNS server may direct you to an outdated IP address for a site, where a different SSL certificate is active. Switching to Google or Cloudflare DNS quickly resolves the ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
- Press Windows + I → Network & Internet → Advanced network settings
- Click your active connection → Edit DNS
- Switch to Manual and enter one of the values below
- Save and reload the site
Google DNS: 8.8.8.8 / 8.8.4.4
Cloudflare DNS: 1.1.1.1 / 1.0.0.17. Run an SSL Check on Your Website (Site Owners)
If ERR_SSL_VERSION_OR_CIPHER_MISMATCH error is present on your site, the first step is to identify the root cause using Qualys SSL Labs—a free and reliable tool that grades your server’s entire SSL configuration.
- Go to ssllabs.com/ssltest
- Enter your domain name and click Submit
- Wait for the full analysis (1–2 minutes)
- Look for issues: certificate name mismatch, expired cert, RC4 cipher, TLS 1.0/1.1 in use
- Pass the specific problem to your hosting provider or fix it via your server config
The SSL Labs report gives your site a grade from A+ to F. An A or A+ grade means no cipher or version issues. Anything below B needs action.
8. Cloudflare SSL Certificate Status
If your site uses Cloudflare and visitors see this error, the most likely cause is a Universal SSL certificate that is not yet Active. Cloudflare certificates can take up to 24 hours to fully issue after a new domain is added.
- Log in to your Cloudflare dashboard
- Select your domain → go to SSL/TLS → Edge Certificates
- Find the certificate with Type: Universal
- Check its Status — it must say Active
- If not Active, temporarily pause Cloudflare and wait up to 24 hours for the certificate to issue
- For multi-level subdomains (sub.sub.domain.com), enable Total TLS or order an Advanced Certificate
9. Renew or Reinstall the SSL Certificate (Site Owners)
If an SSL Labs test indicates that the certificate has expired, was issued for the wrong domain, or does not originate from a trusted Certificate Authority—then the certificate itself needs to be replaced. No amount of client-side adjustments will resolve this issue.
- Log into your hosting control panel (cPanel, Plesk, etc.)
- Navigate to SSL/TLS settings
- Renew your existing certificate or install a new one (Let’s Encrypt is free)
- Ensure the certificate domain exactly matches your site’s URL
- Restart your web server after installing
- Re-test at ssllabs.com/ssltest to confirm the grade improved
Let’s Encrypt certificates are free, trusted by all modern browsers, and auto-renew every 90 days — ideal for most websites.
How to Prevent This Error in Future
- Always keep your browser updated — major browsers regularly discontinue support for older TLS versions.
- For site owners: Configure your SSL certificates to renew automatically (Let’s Encrypt does this by default).
- Run an SSL Labs test on every site you manage every three months — catch issues before your visitors notice them.
- Ensure that your server supports at least TLS 1.2 — TLS 1.3 is ideal for optimal performance and security.
- When using a CDN like Cloudflare, always check the certificate status after adding a new domain.
- Never use RC4, SSL 3.0, or TLS 1.0/1.1 in your server configuration — these are no longer supported.
Best Practices
If this error appears on only one specific website—and not on others—the issue is almost certainly server-side, not with your browser. Skip the client-side fixes and proceed directly to Fix 07 (SSL Labs check).
Use Chrome DevTools to quickly peek at a certificate without SSL Labs. Right-click on the page → Inspect → Security tab → View Certificate. If the error blocks the page entirely though, use ssllabs.com instead — it tests from the outside.
FAQ — People Also Ask
It is caused when your browser and the web server cannot agree on a shared TLS version or encryption cipher during the SSL handshake. Common triggers include outdated TLS versions on the server (1.0 or 1.1), an expired or mismatched SSL certificate, use of the deprecated RC4 cipher, CDN misconfigurations, or a corrupted SSL state in your browser.
Search for “Internet Options” in Windows, open it, go to the Content tab, and click “Clear SSL state.” Then fully close and reopen Chrome. This clears cached SSL session data that may be causing the mismatch error.