critical

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Server and browser cannot agree on SSL/TLS protocol version or cipher suite.

Common Causes

  1. 1Server uses deprecated ciphers (RC4, 3DES)
  2. 2Server only supports TLS 1.0/1.1
  3. 3CDN has different SSL settings than origin
  4. 4Wildcard certificate doesn't cover the requested subdomain depth
  5. 5Old load balancer or appliance capping the TLS version for everything behind it

How to Fix

Update cipher configuration

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;

Use Mozilla's recommended modern cipher configuration.

Probe supported TLS versions

openssl s_client -connect example.com:443 -servername example.com -tls1_2
openssl s_client -connect example.com:443 -servername example.com -tls1_3

If both probes fail, the server offers only deprecated versions. Fix at whatever terminates TLS: origin, load balancer, or CDN edge setting.

Cover the exact hostname

sudo certbot --nginx -d dev.app.example.com

Wildcards match one level only: *.example.com covers app.example.com but not dev.app.example.com. Issue a certificate that names the host explicitly.

How ObserveOne Helps

TLS config changes at the edge are exactly when this error appears in production. An ObserveOne check against the HTTPS endpoint fails on the first broken handshake after a deploy.

Start Monitoring Free

Related Errors