ERR_SSL_PROTOCOL_ERROR

Common causes

• No shared protocol version or cipher — the server only offers SSL/TLS 1.0/1.1, or no common cipher. This specific case is usually reported as ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
• A malformed or aborted handshake — a non-HTTPS service answering on the port, a TCP reset mid-handshake, or a middlebox/QUIC interfering — which surfaces as the generic ERR_SSL_PROTOCOL_ERROR.
• The server is misconfigured: the wrong certificate is bound, or the chain is incomplete.
• The device’s clock is wrong, so certificate validation fails.
• Antivirus or firewall HTTPS scanning, or a corporate proxy, is interfering with the handshake.
• Stale browser SSL state — a cached certificate or a QUIC/HTTP3 issue.

How to fix it

1. 1

   Check which protocols the server actually offers. If both probes fail and the port is reachable, the server’s TLS config is the likely problem. (-tls1_3 needs OpenSSL 1.1.1+; if the flag is rejected, that’s your local OpenSSL, not the server.)

   openssl s_client -connect example.com:443 -servername example.com -tls1_2 </dev/null
   openssl s_client -connect example.com:443 -servername example.com -tls1_3 </dev/null

2. 2

   Server side: enable TLS 1.2 and 1.3 with a modern cipher suite, disable SSL and TLS 1.0/1.1, and confirm the correct certificate and full chain are served.

3. 3

   Client side: correct the system clock, temporarily disable antivirus HTTPS/SSL scanning to test, and restart the browser or clear cached files. If HSTS is forcing an HTTPS upgrade to a host that can’t complete TLS, delete that domain’s policy at chrome://net-internals/#hsts (Delete domain security policies).

4. 4

   If one user sees it on one site, it’s almost always client-side (clock, antivirus, an extension). If everyone sees it, fix the server.