critical

ERR_SSL_PROTOCOL_ERROR

The browser cannot establish a secure SSL/TLS connection because the server and browser cannot agree on a protocol version or cipher suite.

Common Causes

  1. 1Server only supports outdated TLS versions (TLS 1.0/1.1)
  2. 2Web server listening on port 443 without TLS enabled (plaintext on the HTTPS port)
  3. 3SSL certificate is misconfigured
  4. 4Mismatched cipher suites
  5. 5Firewall interfering with SSL handshake
  6. 6Visitor-side: wrong system clock, stale SSL state, or antivirus HTTPS scanning

How to Fix

Enable TLS 1.2 and 1.3

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';

Configure modern TLS protocols. TLS 1.0/1.1 are deprecated and rejected by all major browsers.

Confirm port 443 actually serves TLS

openssl s_client -connect example.com:443 -servername example.com

A completed handshake prints the certificate and negotiated protocol. An immediate failure or plaintext response means 443 is serving HTTP; in nginx the listener needs 'listen 443 ssl;'.

Rule out the visitor's machine first

# Loads in incognito / on another device? The cause is local:
# check the system clock, clear the SSL state and cache,
# disable antivirus HTTPS scanning or interfering extensions.

If the site loads elsewhere, the server is fine; fix the local clock, cached SSL state, or interception software instead.

How ObserveOne Helps

An ObserveOne uptime check makes a full HTTPS request from outside, so a handshake that starts failing after a config change triggers an alert instead of waiting for user reports.

Start Monitoring Free

Related Errors