There’s a number of steps that occur when establishing a secure connection between a browser and a website: TLS handshake, decryption, checking the certificate against CA (Certified Authority), and so on. If any of these fail for any reason, the browser will return the following error – ‘err_ssl_version_or_cipher_mismatch’.
You have probably encountered this error at some point. Or else you wouldn’t be here. In order to fix it, we need to establish what caused it and where does it come from. When asking where, we are trying to figure out is it a server-side issue (SSL certificate, server settings, etc.) or a local issue (browser, operating system, settings, etc.).
Possible server-side issues
In order to find the cause for this error (or rule out that it is a server-side issue), we need to check the following:
- The SSL certificate itself
- Check for Certificate Name Mismatch
- See if the old TLS version is used
- Check RC4 Cipher Suite
1. Checking the SSL certificate
The first step we recommend is checking your SSL certificate. The Qualys SSL Labs has an excellent tool that will tell you anything you need to know about your SSL certificate. All you have to do is type the full URL of your site click ‘Submit’. The results will not appear instantly, but it shouldn’t take more than a couple of minutes. There’s also an option to hide the results if you want to. The test is very reliable and it will let you know if there’s anything wrong with your SSL certificate.
2. Certificate Name Mismatch issue
The Certificate Name mismatch is a pretty common issue that can occur. In this case, we have a subdomain fixrunnertest2.fixrunnertest.com which does not use SSL but shares the same IP address as the domain fixrunertest.com. The fixrunnertest.com has an SSL certificate which checks out.
There are other reasons why the browser might throw this error such as:
- The domain name is pointing to an old IP address where another site is hosted
- There is no SSL support on CDN you are using
- You haven’t included your domain name alias in the certificate
Another method you can use to check your certificate is through the browser. Simply click on the padlock icon at the beginning of the address bar. A drop-down menu will appear. Click on ‘Certificate’ and you will see a popup with information about the SSL certificate for that particular site.
Personally, we prefer the Qualys SSL labs test as most of the browsers will not pull the certificate info if there’s an issue with it.
3. Checking for old and unsupported TLS version
All hosting providers should use at least TLS 1.2 version on their servers, ideally. There should also be some backward compatibility with older TLS versions since not everyone uses the latest operating systems and browsers. Most hosting providers take care of this behind the curtain to ensure maximum compatibility. If you notice an old TLS version, contact your hosting provider and ask for the TLS to be updated.
Also, the TLS 1.3 version has been published on August 21st 2018 and it offers better security and faster speeds. If your hosting provider can’t offer at least TLS 1.2 version, it might be a good idea to switch to a different provider.
4. The RC4 Cipher Suite
The Chrome developers removed the RC4 it in version 48. Although it is not a common issue, some larger enterprises might face this problem since it takes more time to update anything on a larger scale.
The Microsoft, Google and security researchers, in general, recommend disabling RC4 cipher suite. You can check this with the SSL Labs tool.
Possible local issues to fix err_ssl_version_or_cipher_mismatch
Some older operating systems and browsers don’t support recent TLS protocols. Therefore, it is pretty certain that you will see this error if you are using Internet Explorer 8 on Windows XP, for example. In this case, you can try using Firefox because it has its own cryptographic library. It doesn’t use the SSL support built into windows.
Some things you might want to try are:
- Clearing the SSL state on your computer
- Enabling TLS 1.3 on your browser
- Disabling the antivirus temporarily
1. Clearing the SSL state on your computer
Follow these steps:
- Open Chrome browser
- Scroll down and click ‘Advanced’ to show more options
- Click on ‘Open proxy settings’
- You will see a pop-up titled ‘Internet Properties’.
- Click on the ‘Content’ tab and then click the ‘Clear SSL state’ button
2. Enabling TLS 1.3 version on your browser
The TLS versions 1.0 and 1.1 have been deprecated in Chrome version 72 and above. Still, if you are using an older version of Chrome (or a different browser) you might want to try and enable TLS 1.3. You can also check what is the maximum TLS version allowed on your browser.
Type ‘chrome://flags’ in the address bar then type ‘TLS’ in the search field. You will see an option named ‘TLS 1.3 downgrade hardening’. This will enable backward compatibility with TLS versions 1.0 and 1.1.
Type ‘about:config’ in the address bar. You will see a message ‘This might void your warranty!’. Just click ‘I accept the risk.’ and when redirected to the configuration page, type ‘TLS’ in the search field. Look for a setting called ‘security.tls.version.max’. The value at the right end of the row should be 4. If it isn’t, double click the number and set it to 4.
3. Temporary Disable Antivirus
If you went through all of the steps listed above, one last thing you could try is to temporarily disable antivirus. It is possible for certain antivirus software to add a layer between the browser and the web. This layer will contain its own certificates which may cause the issue. Again, this is only a temporary solution.
Conclusion – update your software
The one fact that is absolutely true when it comes to the world of technology is this – adapt or die. The software is constantly being updated, security protocols are changing and functionality is improving. Backward compatibility can only get you so far and at a certain point, you will have to get along to go along.
It is worth thinking about updating your operating system, browser and any software you might use on a regular basis. I remember all of the Windows updates I went through. At first, I thought that it will be a painful transition, but I was wrong. It took me days, maybe weeks, to get used to a new environment but it pays off in the long run.
If you are still experiencing issues with your website and don’t know what is the next step, we can help. Feel free to contact our WP Support team.
For more WordPress tutorials follow our blog. If you are not sure how to switch from HTTP to HTTPS on WordPress check out our guide. And if you are starting out and need a free SSL certificate, see how to install CloudFlare SSL on WordPress.