What is the difference between a protocol error and a certificate error?

A protocol error means the TLS handshake failed before any certificate was checked, usually down to a version or cipher problem. A certificate error means the handshake went through fine, but the certificate turned out expired, untrusted, or issued for the wrong host. One points at the connection, the other at the credential.

Why does this error only appear on my device?

If your machine fails while other devices load the website without trouble, the cause is almost always local: a wrong clock, a corrupted SSL or HSTS state, an outdated browser, antivirus HTTPS scanning, or a VPN. Confirm it on a second device or network before you start blaming the server.

Is it safe to ignore ERR_SSL_PROTOCOL_ERROR?

No. The error means the secure connection could not be established, so there is no safe fallback to drop down to. Never try to bypass it on a website that handles logins or payments. Track down the underlying cause instead, whether that turns out to be your device or the server's TLS setup.

What TLS version does a website need to avoid this?

Serve TLS 1.2 and TLS 1.3, and switch off TLS 1.0 and 1.1. Browsers have dropped the older versions, so a server stuck on them simply cannot negotiate a handshake any more. TLS 1.2 is the practical floor, with 1.3 preferred.

How do I clear the SSL state in my browser?

On Windows, open Internet Properties, switch to the Content tab, click Clear SSL state, then restart the browser. For a stuck HSTS entry in Chrome, head to chrome://net-internals/#hsts, type the domain under Delete domain security policies, and remove it.

Does HSTS cause ERR_SSL_PROTOCOL_ERROR?

Only indirectly. HSTS pins the browser to HTTPS for a domain, so when the TLS handshake is already broken, HSTS takes away the option to fall back to HTTP and the error is what you get instead. A stale HSTS entry can also keep enforcing old rules after the server has moved on, which is why clearing it sometimes does the trick.

Can antivirus or a VPN trigger this error?

Yes. Antivirus with HTTPS or SSL scanning steps into the connection and inserts its own handshake, which can fail outright or use parameters the browser turns down. A VPN or proxy can route you through a server that mangles the handshake. Disable the scanning feature, or the VPN, to test whether it is the cause.

What is the difference between ERR_SSL_PROTOCOL_ERROR and ERR_SSL_VERSION_OR_CIPHER_MISMATCH?

There is overlap. The version-or-cipher error is the narrow case: the browser and server share no common TLS version or cipher suite. ERR_SSL_PROTOCOL_ERROR is the wider net, and it catches things a mismatch never would, like plain HTTP answering on port 443, a malformed TLS record, or a corrupted local SSL state. See the mismatch code and you can go straight to the server's protocol and cipher list. See the generic code and you should check the listener and your own device first.

Why do I get this error when my certificate is valid and not expired?

Because the error fires before the certificate is ever read. The handshake dies at the protocol or connection stage, so a valid, in-date certificate changes nothing. openssl spells this out: print no peer certificate available next to a handshake failure and you know the server never got far enough to send the certificate at all. Sort out the protocol, cipher, or listener, and the certificate gets checked normally on the next attempt.

Can a reverse proxy or load balancer cause ERR_SSL_PROTOCOL_ERROR?

Yes, and it happens often. Say a proxy or load balancer terminates TLS, then forwards plain HTTP to a backend that still expects HTTPS. Or it is set up to pass cleartext straight to port 443. Either way the browser gets an invalid TLS response and shows this error. The giveaway is running openssl against the public hostname and seeing wrong version number. Trace where TLS actually terminates, and make sure each hop speaks the protocol the next one expects.

Does disabling QUIC actually fix this, or just hide it?

For one specific cause, it is a genuine fix. QUIC is the alternative transport Chrome reaches for before falling back to classic TLS. A glitch there, or a clash with an older server setup, can show up as ERR_SSL_PROTOCOL_ERROR. Turn off Experimental QUIC at chrome://flags and you force the standard TLS path. If that clears it, the server TLS was fine all along and QUIC negotiation was to blame. If it does not, look elsewhere.

How do I know if the problem is my server or the wider internet path?

Run the same check from several outside locations instead of trusting your own machine. A server-side TLS fault breaks everywhere, consistently. A path problem (a regional middlebox, a filtering proxy, a captive portal) only breaks from certain networks. Point an external monitor that does a real TLS handshake from multiple global locations at the host, and you find out at once whether the handshake fails for everyone or just on specific routes.

ERR_SSL_PROTOCOL_ERROR

You open an HTTPS page and Chrome stops you cold with This site can't provide a secure connection and the code ERR_SSL_PROTOCOL_ERROR. The server was reachable, but the encrypted handshake fell apart before the page could load. This guide explains why, and how to get the secure connection back.

Updated June 2026 · 6 min read

Written by

Andrian Valeanu Founder of Pulsetic

Andrian Valeanu founded Pulsetic and, before it, Designmodo. Across 15-plus years he has shipped web products, design tools, and monitoring software teams around the world rely on.
Reviewed by

Ionut Caval Technical reviewer

Ionut Caval reviews Pulsetic's technical guides for accuracy. He works hands-on with web servers, networking, and uptime monitoring day to day, and makes sure the causes and fixes here hold up in production.

The short version: Start with your device clock, because a wrong date breaks SSL outright. Next, clear the browser cache and SSL state, try incognito and a second browser, and switch off any VPN, proxy, or antivirus HTTPS scanning. Run the website yourself? Enable TLS 1.2 and 1.3, drop TLS 1.0/1.1, and confirm the certificate chain.

Key takeaways

ERR_SSL_PROTOCOL_ERROR is the generic catch-all for a TLS handshake that broke before any certificate was read. That points you at the connection or the server's TLS setup, not at what the certificate contains.
It is wider than a version-or-cipher mismatch. It also fires when plain HTTP answers on port 443, when the server sends a malformed TLS record, or when something local corrupts the handshake.
Test on a second device and network before anything else. If only your machine fails, the cause is local (clock, SSL state, HSTS, antivirus, VPN). If every device fails, the server's TLS configuration is at fault.
For owners: enable TLS 1.2 and 1.3, drop TLS 1.0 and 1.1, confirm port 443 is genuinely speaking TLS, and validate the config before you reload.
The handshake fails from the outside the same way it fails for a browser, so an external HTTP(S) check negotiates TLS identically and trips the instant the connection breaks for real visitors.

Error type: HTTPS / TLS error
Whose side: Either: the server config, or your device
Fix difficulty: Easy to moderate
Common cause: The TLS handshake failed

What does ERR_SSL_PROTOCOL_ERROR mean?

ERR_SSL_PROTOCOL_ERROR means your browser reached the server and tried to open an encrypted connection, but the TLS handshake collapsed before it could finish. In a normal handshake the two sides settle on a protocol version and a cipher suite, then the server hands over its certificate. This error stops things at that first step. Maybe a version or cipher could not be negotiated, maybe the server answered with something that was not valid TLS, maybe a piece of the setup is misconfigured. Either way, no certificate was validated, because the connection never reached that point.

That is the line between this and a certificate error. Codes like NET::ERR_CERT_DATE_INVALID or NET::ERR_CERT_AUTHORITY_INVALID only appear after the handshake succeeds, once the browser holds the certificate and finds it expired, untrusted, or issued for the wrong host. A protocol error happens earlier. It points at the connection itself, the TLS version, the cipher, or the local environment, and not at anything inside the certificate.

The path a request takes from your browser to the website's servers. A ERR_SSL_PROTOCOL_ERROR is produced at the highlighted stages.

443: The default HTTPS port where the TLS handshake takes place
TLS 1.2 / 1.3: The only protocol versions browsers still trust
TLS 1.0 / 1.1: Deprecated and disabled in modern browsers, a frequent root cause
0 certs: Number of certificates validated when the handshake fails this early

How the ERR_SSL_PROTOCOL_ERROR error appears

The wording changes depending on your browser, device, or server. Here is how this error commonly shows up:

This site can't provide a secure connection

example.com sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

What a ERR_SSL_PROTOCOL_ERROR looks like in the browser. The exact wording varies by browser, device, and server.

ERR_SSL_PROTOCOL_ERROR the TLS handshake failed before the certificate stage
This site can't provide a secure connection Chrome and Edge headline for the same error
ERR_SSL_VERSION_OR_CIPHER_MISMATCH Chrome could not agree on a TLS version or cipher
SSL_ERROR_NO_CYPHER_OVERLAP Firefox wording for a cipher mismatch
SSL_ERROR_RX_RECORD_TOO_LONG Firefox sees plain HTTP answering on the HTTPS port
curl: SSL routines: wrong version number the openssl equivalent of a protocol mismatch

ERR_SSL_PROTOCOL_ERROR vs certificate errors

A protocol error means the handshake never completed, while a certificate error means the handshake succeeded but the certificate itself failed validation.

Error	What it means	Most likely fix
ERR_SSL_PROTOCOL_ERROR	The TLS handshake failed at the protocol or cipher stage, before the certificate was checked	Enable TLS 1.2/1.3 and a modern cipher, or fix the client clock and SSL state
NET::ERR_CERT_DATE_INVALID	The handshake worked but the certificate is expired or the device date is wrong	Renew the certificate, or correct the system date and time
NET::ERR_CERT_AUTHORITY_INVALID	The certificate is not trusted, often a self-signed cert or a missing intermediate	Install the full chain, or use a cert from a trusted authority
ERR_SSL_VERSION_OR_CIPHER_MISMATCH	Client and server share no common TLS version or cipher suite	Update the server to offer TLS 1.2/1.3 and modern ciphers

Which SSL error is which: the three handshake-stage failures

These three errors are easy to confuse, but each fails at a different point, which tells you where to look.

Error	Where it fails	Points at
`ERR_SSL_PROTOCOL_ERROR`	Generic handshake failure: a malformed TLS record, plain HTTP on port 443, or a corrupted local state, before any certificate is read.	The connection or server TLS setup, or your own device.
`ERR_SSL_VERSION_OR_CIPHER_MISMATCH`	A specific handshake failure: the browser and server share no common TLS version or cipher suite, so negotiation aborts.	An outdated server protocol or cipher list.
`NET::ERR_CERT_*` (DATE, AUTHORITY, COMMON_NAME)	After a successful handshake, when the browser inspects the certificate and finds it expired, untrusted, or for the wrong host.	The certificate itself, not the connection.

openssl readings that explain a protocol error

The handshake message openssl prints usually names the real cause faster than the browser code does.

openssl output	What it means	Fix direction
`wrong version number`	The server answered with something that was not valid TLS, typically plain HTTP listening on port 443.	Make the HTTPS listener actually terminate TLS on 443, or correct the proxy in front of it.
`sslv3 alert handshake failure`	No protocol version or cipher both sides accept, the mismatch case surfacing through the generic error.	Enable TLS 1.2 and 1.3 with a modern cipher suite and re-test.
`tlsv1 alert protocol version`	The client offered a TLS version the server refuses (or vice versa), common when only TLS 1.0/1.1 is configured.	Add TLS 1.2 and 1.3 to the server; remove the deprecated versions.
`no peer certificate available`	The handshake aborted before the server could present a certificate, confirming a negotiation problem rather than a trust one.	Treat it as a version, cipher, or listener problem, not a certificate problem.

What causes ERR_SSL_PROTOCOL_ERROR?

The server only offers outdated TLS 1.0 or 1.1, and modern browsers will not negotiate it.
Client and server have no cipher suite in common, so they cannot agree on encryption parameters.
The device clock is wrong, which throws off the time-sensitive parts of the handshake.
Antivirus or a proxy is intercepting HTTPS and slotting in its own broken handshake.
Chrome has QUIC enabled and it is clashing with the server's older TLS setup.
A corrupted browser SSL state, or a stale HSTS entry, is forcing outdated connection parameters.
The server is misconfigured, or SNI points at the wrong hostname, so plain HTTP or no valid TLS answers on port 443.

How to find the cause fast

Open the same page in a different browser, on another device, and on a separate network. That tells you whether the failure is local or global.
Check your system date and time. A clock that is off by even a few minutes is enough to break the handshake.
Point an online SSL test like SSL Labs at the domain to see which protocols and ciphers the server is really offering.
From a terminal, run openssl s_client -connect example.com:443 and read the handshake result, plus any wrong-version-number message, straight from the source.

curl -I https://example.comcurl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure# client and server share no protocol or cipher in common

What a ERR_SSL_PROTOCOL_ERROR looks like from the command line. The grey lines starting with # are explanatory comments.

How ERR_SSL_PROTOCOL_ERROR looks from the outside

ERR_SSL_PROTOCOL_ERROR is a handshake failure, so it strikes before any certificate is even read, and an external check sees exactly the same thing. Pulsetic runs HTTP(S) checks from 15+ locations every 30 seconds, negotiating TLS the way a browser does, so a protocol or cipher misconfiguration trips an alert the moment it would break for real visitors. The layer above that is its dedicated SSL certificate monitoring, which watches expiry and validity once the handshake succeeds. Since the checks run from outside your network, they tell you whether a secure connection actually completes across the wider internet, not just from your own machine. The honest catch: a monitor confirms the handshake fails from the outside, but it cannot reach into the server to read the cipher list for you.

How to fix ERR_SSL_PROTOCOL_ERROR

If you are a visitor

Check your device date and time, set them to update automatically, then reload the page.
Clear your browser cache and cookies for the website.
Clear the SSL state. On Windows that is Internet Properties > Content > Clear SSL state.
Update your browser to the latest version so it ships with current TLS and cipher support.
Open the website in an incognito window, then try a second browser to rule out extensions and profile state.
Switch off the HTTPS or SSL scanning feature in your antivirus; it intercepts the handshake.
Disconnect any VPN or proxy, turn off system proxy settings too, and retry.
Disable QUIC at chrome://flags/#enable-quic, then relaunch Chrome.
Move to another network, a phone hotspot for instance, to rule out network-level interception.

If you run the website

Enable TLS 1.2 and 1.3 in the server configuration, and strip out TLS 1.0 and 1.1.
Offer a modern cipher suite so current browsers have a common match to land on.
Confirm the certificate and full chain are installed correctly, pointing at fullchain.pem rather than the leaf certificate on its own.
Review the SNI configuration so the right certificate goes out for the requested hostname.
Verify the HTTPS listener is genuinely speaking TLS on port 443, not plain HTTP sitting behind it.
Test the result with SSL Labs and with openssl s_client -connect example.com:443, then validate the config with nginx -t before reloading.

Still not fixed? Next steps

openssl reporting wrong version number means something is serving plain HTTP on port 443. Check that the TLS listener is bound correctly, and that no reverse proxy or load balancer is forwarding cleartext to the HTTPS port.
When the handshake fails only from some networks or regions, the culprit is usually a middlebox, captive portal, or corporate TLS-inspection proxy on those paths, not your server. Confirm it by testing from an external monitor in multiple locations.
Did a recent deploy or config change come just before the error? Roll back the TLS block and reload, then reapply your changes one at a time, running nginx -t or apachectl configtest between each to isolate the line that breaks it.
If the handshake completes in openssl but Chrome still fails, the problem lives in the browser. Clear its SSL and HSTS state and disable QUIC, since a stale security policy or a QUIC glitch can break the connection on that side alone.

Code & configuration

Copy-paste starting points. Replace example.com and the paths with your own, and test changes on staging before production.

Test the handshake and force a specific TLS version

openssl s_client -connect example.com:443 -servername example.com
# force TLS 1.2, then 1.3, to see which the server accepts:
openssl s_client -connect example.com:443 -tls1_2 -servername example.com
openssl s_client -connect example.com:443 -tls1_3 -servername example.com

Enable modern TLS in nginx, then reload

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
ssl_certificate     /etc/ssl/fullchain.pem;
ssl_certificate_key /etc/ssl/privkey.pem;
# then: sudo nginx -t && sudo systemctl reload nginx

Clear the SSL and HSTS state in the browser (visitor side)

# Windows SSL cache: Internet Properties > Content > Clear SSL state
# Chrome HSTS entry: chrome://net-internals/#hsts > Delete domain security policies
# Disable QUIC if it is interfering: chrome://flags/#enable-quic > Disabled

How to prevent ERR_SSL_PROTOCOL_ERROR

A handshake failure breaks HTTPS for everyone, and it usually trails a TLS config change you have already forgotten about. Pulsetic checks your website over HTTPS from multiple locations every 30 seconds and negotiates TLS the way a browser does, while its SSL certificate monitoring tracks validity and expiry. A broken handshake or a lapsing certificate reaches you by email, SMS, Slack, and more before visitors ever hit the warning. It works from the outside, so it confirms the handshake fails but cannot read your server's cipher list.

Learn how Pulsetic's SSL certificate monitoring detects this from the outside, across 15+ locations.

Related errors

Browse all error guides

Frequently asked questions

What is the difference between a protocol error and a certificate error?

A protocol error means the TLS handshake failed before any certificate was checked, usually down to a version or cipher problem. A certificate error means the handshake went through fine, but the certificate turned out expired, untrusted, or issued for the wrong host. One points at the connection, the other at the credential.
Why does this error only appear on my device?

If your machine fails while other devices load the website without trouble, the cause is almost always local: a wrong clock, a corrupted SSL or HSTS state, an outdated browser, antivirus HTTPS scanning, or a VPN. Confirm it on a second device or network before you start blaming the server.
Is it safe to ignore ERR_SSL_PROTOCOL_ERROR?

No. The error means the secure connection could not be established, so there is no safe fallback to drop down to. Never try to bypass it on a website that handles logins or payments. Track down the underlying cause instead, whether that turns out to be your device or the server's TLS setup.
What TLS version does a website need to avoid this?

Serve TLS 1.2 and TLS 1.3, and switch off TLS 1.0 and 1.1. Browsers have dropped the older versions, so a server stuck on them simply cannot negotiate a handshake any more. TLS 1.2 is the practical floor, with 1.3 preferred.
How do I clear the SSL state in my browser?

On Windows, open Internet Properties, switch to the Content tab, click Clear SSL state, then restart the browser. For a stuck HSTS entry in Chrome, head to chrome://net-internals/#hsts, type the domain under Delete domain security policies, and remove it.
Does HSTS cause ERR_SSL_PROTOCOL_ERROR?

Only indirectly. HSTS pins the browser to HTTPS for a domain, so when the TLS handshake is already broken, HSTS takes away the option to fall back to HTTP and the error is what you get instead. A stale HSTS entry can also keep enforcing old rules after the server has moved on, which is why clearing it sometimes does the trick.
Can antivirus or a VPN trigger this error?

Yes. Antivirus with HTTPS or SSL scanning steps into the connection and inserts its own handshake, which can fail outright or use parameters the browser turns down. A VPN or proxy can route you through a server that mangles the handshake. Disable the scanning feature, or the VPN, to test whether it is the cause.
What is the difference between ERR_SSL_PROTOCOL_ERROR and ERR_SSL_VERSION_OR_CIPHER_MISMATCH?

There is overlap. The version-or-cipher error is the narrow case: the browser and server share no common TLS version or cipher suite. ERR_SSL_PROTOCOL_ERROR is the wider net, and it catches things a mismatch never would, like plain HTTP answering on port 443, a malformed TLS record, or a corrupted local SSL state. See the mismatch code and you can go straight to the server's protocol and cipher list. See the generic code and you should check the listener and your own device first.
Why do I get this error when my certificate is valid and not expired?

Because the error fires before the certificate is ever read. The handshake dies at the protocol or connection stage, so a valid, in-date certificate changes nothing. openssl spells this out: print no peer certificate available next to a handshake failure and you know the server never got far enough to send the certificate at all. Sort out the protocol, cipher, or listener, and the certificate gets checked normally on the next attempt.
Can a reverse proxy or load balancer cause ERR_SSL_PROTOCOL_ERROR?

Yes, and it happens often. Say a proxy or load balancer terminates TLS, then forwards plain HTTP to a backend that still expects HTTPS. Or it is set up to pass cleartext straight to port 443. Either way the browser gets an invalid TLS response and shows this error. The giveaway is running openssl against the public hostname and seeing wrong version number. Trace where TLS actually terminates, and make sure each hop speaks the protocol the next one expects.
Does disabling QUIC actually fix this, or just hide it?

For one specific cause, it is a genuine fix. QUIC is the alternative transport Chrome reaches for before falling back to classic TLS. A glitch there, or a clash with an older server setup, can show up as ERR_SSL_PROTOCOL_ERROR. Turn off Experimental QUIC at chrome://flags and you force the standard TLS path. If that clears it, the server TLS was fine all along and QUIC negotiation was to blame. If it does not, look elsewhere.
How do I know if the problem is my server or the wider internet path?

Run the same check from several outside locations instead of trusting your own machine. A server-side TLS fault breaks everywhere, consistently. A path problem (a regional middlebox, a filtering proxy, a captive portal) only breaks from certain networks. Point an external monitor that does a real TLS handshake from multiple global locations at the host, and you find out at once whether the handshake fails for everyone or just on specific routes.

Catch the next outage before your visitors do.

2-minute setup · Cancel any time
Create Free Account

Your Dashboard

No credit card needed

ERR_SSL_PROTOCOL_ERROR

What does ERR_SSL_PROTOCOL_ERROR mean?

How the ERR_SSL_PROTOCOL_ERROR error appears

ERR_SSL_PROTOCOL_ERROR vs certificate errors

Which SSL error is which: the three handshake-stage failures

openssl readings that explain a protocol error

What causes ERR_SSL_PROTOCOL_ERROR?

How to find the cause fast

How ERR_SSL_PROTOCOL_ERROR looks from the outside

How to fix ERR_SSL_PROTOCOL_ERROR

If you are a visitor

If you run the website

Still not fixed? Next steps

Code & configuration

How to prevent ERR_SSL_PROTOCOL_ERROR

Related errors

Frequently asked questions

What is the difference between a protocol error and a certificate error?

Why does this error only appear on my device?

Is it safe to ignore ERR_SSL_PROTOCOL_ERROR?

What TLS version does a website need to avoid this?

How do I clear the SSL state in my browser?

Does HSTS cause ERR_SSL_PROTOCOL_ERROR?

Can antivirus or a VPN trigger this error?

What is the difference between ERR_SSL_PROTOCOL_ERROR and ERR_SSL_VERSION_OR_CIPHER_MISMATCH?

Why do I get this error when my certificate is valid and not expired?

Can a reverse proxy or load balancer cause ERR_SSL_PROTOCOL_ERROR?

Does disabling QUIC actually fix this, or just hide it?

How do I know if the problem is my server or the wider internet path?

Catch the next outage before your visitors do.