Resolving ERR_SSL_VERSION_OR_CIPHER_MISMATCH

CandyKannan · May 6, 2025, 4:08pm

My issue: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

How I encountered the problem: Visiting my site

Solutions I’ve tried: Rewriting config file, adjusting cloudflare settings

My config:

server {
    listen 80;
    server_name dev.biomebattle.net;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name dev.biomebattle.net;
    
    # SSL configuration
    ssl_certificate /etc/letsencrypt/live/dev.biomebattle.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dev.biomebattle.net/privkey.pem;
    
    # Modern SSL setup
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers on;
    
    # SSL optimization
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    
    # HSTS (optional, but recommended)
    add_header Strict-Transport-Security "max-age=63072000" always;
    
    location / {
        proxy_pass http://127.0.0.1:3934;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
    }
    
    error_log /var/log/nginx/development_error.log warn;
    access_log /var/log/nginx/development_access.log combined;
}

heo · May 6, 2025, 4:21pm

Hi @CandyKannan - I’ve moved your post to Troubleshooting and adjusted the title to reflect the issue you’re having.

alessandro · May 6, 2025, 4:22pm

Heya! Have you recently changed anything in the config or are you trying to set up NGINX with SSL for the first time?

Damian_Curry · May 6, 2025, 9:52pm

nginx usually expects the certificate to be a .crt file, and the key .key file. Can you verify that cert and key files are correctly formatted and match? You should be able to run the following openssl commands and get the same output from each:

openssl rsa -in KEYFILE -pubout
openssl x509 -in CERTFILE -pubkey -noout

alessandro · May 6, 2025, 10:36pm

This seems to be a duplicate of Err_ssl_version_or_cipher_mismatch. I am going to close the other thread in favor of this one since this one has more activity

hanada · May 7, 2025, 12:56am

You mentioned cloudflare. Did you enable the orange cloud on cloudflare? If so, this is not an nginx problem, but rather an issue with your certificate on the cloudflare cdn. You may want to check if the cloudflare edge certificate is correctly issued.

Whenever the cloudflare certificate is not successfully issued, cloudflare will return Err_ssl_version_or_cipher_mismatch

Topic		Replies	Views
Err_ssl_version_or_cipher_mismatch Troubleshooting web-server , reverse-proxy	3	44	May 6, 2025
Error loading self signed certificate Troubleshooting web-server	1	56	March 31, 2025
SSL handshake didn't work same as http2 and http3 Troubleshooting	12	295	April 10, 2025
error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:322: Troubleshooting	1	65	April 2, 2025
Client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers Troubleshooting nginx-open-source	2	74	April 16, 2025

Resolving ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Related topics