ERR_SSL_VERSION_OR_CIPHER_MISMATCH
After you add a new domain to Cloudflare, your visitors' browsers might display one of the following errors:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
(Chrome)Unsupported protocol The client and server don’t support a common SSL protocol version or cipher suite
(Chrome)SSL_ERROR_NO_CYPHER_OVERLAP
(Firefox)
This error occurs when your domain or subdomain is not covered by an SSL/TLS certificate, which is usually caused by:
- A delay in certificate activation.
- An unproxied domain or subdomain DNS record.
- An expired Custom certificate.
- A multi-level subdomain (
test.dev.example.com
).
flowchart TD accTitle: Troubleshooting ERR_SSL_VERSION_OR_CIPHER_MISMATCH decision tree A>Is your certificate active?] -- Yes --> B>Is the DNS record proxied?] A -- No --> C[Wait for certificate to activate or pause Cloudflare] B -- No --> D[Proxy the DNS record] B -- Yes --> E>Are you using a custom certificate?] E -- Yes --> F[Custom certificate may be expired] E -- No --> G>Are you accessing a multi-level subdomain?] G -- Yes --> H[Get an advanced or custom certificate]
For domains on a full setup1, your domain should automatically receive its Universal SSL certificate within 15 minutes to 24 hours of domain activation2.
This certificate will cover your zone apex (example.com
) and all first-level subdomains (subdomain.example.com
), and is provisioned even if your records are DNS only. However, the certificate will only be presented if your domain or subdomains are proxied.
If your visitors experience ERR_SSL_VERSION_OR_CIPHER_MISMATCH
(Chrome) or SSL_ERROR_NO_CYPHER_OVERLAP
(Firefox), check the status of your Universal certificate:
- Log into the Cloudflare dashboard ↗.
- Choose your account and domain.
- Go to SSL > Edge Certificates.
- Find the certificate with the Type of Universal.
- Make sure the Status is Active.
If the Status is anything other than Active, you can either wait a bit longer for certificate activation or take immediate action.
If you need to immediately resolve this error, temporarily pause Cloudflare.
Since Universal certificates can take up to 24 hours to be issued, wait and monitor the certificate's status. Once your certificate becomes Active, unpause Cloudflare using whichever method you used previously.
If your certificate is still not Active after 24 hours, try the various troubleshooting steps used to resolve timeout issues. If these methods are successful (and your certificate becomes Active), unpause Cloudflare using whichever method you used previously.
Cloudflare Universal and Advanced certificates only cover the domains and subdomains you have proxied through Cloudflare.
If the Proxy status of A
, AAAA
, or CNAME
records for a hostname are DNS-only, you will need to change it to Proxied.
If you have a Custom certificate and visitors experience ERR_SSL_VERSION_OR_CIPHER_MISMATCH
(Chrome) or SSL_ERROR_NO_CYPHER_OVERLAP
(Firefox), check its status to make sure it is not expired.
If it is expired, upload a replacement certificate.
By default, Cloudflare Universal SSL certificates only cover your apex domain and one level of subdomain.
Hostname | Covered by Universal certificate? |
---|---|
example.com | Yes |
www.example.com | Yes |
docs.example.com | Yes |
dev.docs.example.com | No |
test.dev.api.example.com | No |
This means that you might experience ERR_SSL_VERSION_OR_CIPHER_MISMATCH
(Chrome) or SSL_ERROR_NO_CYPHER_OVERLAP
(Firefox) on multi-level subdomains.
To prevent insecure connections on a multi-level subdomain, do one of the following:
- Enable Total TLS, which automatically issues individual certificates to your proxied hostnames not covered by a Universal certificate.
- Order an Advanced Certificate covering the subdomain.
- Upload a Custom Certificate covering the subdomain.
If none of these solutions work, you could also remove the multi-level subdomain.