SSL Error: This Site Can’t Provide a Secure Connection in Chrome, Opera & Chromium

This site can’t provide a secure connection.
sitename.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

This site can’t provide a secure connection.
sitename.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
The client and server don’t support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.

Secure Connection Failed

Answer

As you may have understood, the problem is related to the SSL connection issues between your browser and HTTPS-enabled website. The reasons may differ. In this article, I tried to collect all methods of fixing the error “This site can’t provide a secure connection, ERR_SSL_PROTOCOL_ERROR” in popular browsers.

I would like to note that despite Google Chrome, Opera, and Chromium-based browsers being released by different companies, they are using the same WebKit (Chromium) engine, and the problem of opening HTTPS sites is solved in the same way for all of them.

First of all, make sure that it is not the problem of the HTTPS website itself. Try to open from other devices (smartphone, tablet, home/work PC, etc.). Also check if you can open a problem website in other browsers: IE/Edge or Mozilla Firefox.

Clear Browser Cache, Cookies, and Reset SSL Cache

Browser cache and cookies often cause an SSL certificate issues. We recommend to clear cache and cookies in your browser first. In Chrome, press Ctrl + Shift + Delete (or go to the address chrome://settings/clearBrowserData), select the time range (All time) and click Clear data.

To clear SSL cache in Windows 10 or 11:

1. Go to Control Panel -> Internet Options;
2. Click the Content tab;
3. Click the Clear SSL State button;
4. The message “The SSL cache was successfully cleared” will appear;
5. Restart your browser and check if the error ERR_SSL_PROTOCOL_ERROR persists.

Disable Third-Party Browser Extensions

We recommend to disable (delete) third-party browser extensions, especially anonymizers, proxies, VPNs, antivirus extensions, and other similar add-ons that can interfere with traffic to the target website. You can view the list of enabled Chrome extensions in Settings -> More Tools -> Extensions or go to chrome://extensions/. Disable all suspicious extensions.

Check Antivirus and Firewall Settings

If you have an antivirus or a firewall (it is often built into the antivirus as a module) installed on your computer, they may block access to websites. To understand if your antivirus or firewall blocks access to a site, try to pause them for a while.

A lot of anti-viruses have a built-in module that checks the SSL/TLS certificates of websites. If antivirus detects that the website is using an insecure (or self-signed) certificate or a legacy SSL protocol version (SSL 3.0 or TLS 1.0), the antivirus may block the user’s access to such a site. Try disabling scanning of HTTP/HTTPS traffic and SSL certificates. In different antiviruses, this option may be called differently. For example:

• Disable the “Enable SSL/TLS protocol filtering” option in the ESET NOD32 Antivirus;
• In Avast the option is called “Enable HTTPS scanning” (it is located under Settings -> Active Protection -> Web Shield -> Customize -> Main Settings);
• The intebuilt-ingrated firewall (Spider Gate) can block websites in Dr.Web antivirus;
• In Kaspersky Internet Security Antivirus, go to Settings -> Advanced -> Network -> add the website to exclusions or select the Do not scan encrypted connections option.

Check the Date & Time Settings

An incorrect date, time (or time zone) on your computer also can cause secure connection errors for HTTPS websites. During authentication, your operating system checks the date when the website certificate was created, when it expires and when the certificate of the certification authority will expire.

Make sure that you have the correct time and time zone set. If the time is reset constantly, see the article “Windows displays wrong time after reboot”.

Update Windows Root Certificates

If your computer is in an isolated network segment, has not been updated for a long time, or has automatic update disabled, it may not have new trusted root certificates (TrustedRootCA). We recommend that you always install the latest security updates in Windows.

You can manually update trusted root certificates following the article “Updating List of Trusted Root Certificates in Windows”. Also, it is recommended to check your computer for suspicious or untrusted certificates with SigCheck. It can help to prevent capturing your HTTPS traffic and a number of other issues.

Disable QUIC Protocol Support

Make sure the support of QUIC (Quick UDP Internet Connections) protocol is enabled in Chrome. QUIC allows to faster establish the connection and negotiates all TLS (HTTPS) parameters when connecting to a website. However, in some cases, it can cause problems with SSL connections. Try to disable QUIC:

1. Go to chrome://flags/#enable-quic;
2. Find the Experimental QUIC protocol option;
3. Change its value from Default to Disabled;
4. Restart Chrome.

Check the TLS/SSL Protocols Supported by Your Browser and Web Server

Check which TLS/SSL protocol versions and encryption methods (cipher suites) are supported by your browser. To do this, simply go to the web page https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

The SSL Labs online service will return a list of protocols and cipher suites that your browser supports. In my example, Chrome supports only TLS 1.3 and TLS 1.2. All other protocols (TLS 1.1, TLS 1.0, SSL3, and SSL 2) are disabled. Below is a list of supported encryption methods.

Cipher Suites (in order of preference)

• TLS_AES_128_GCM_SHA256
• TLS_CHACHA20_POLY1305_SHA256
• TLS_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA

Then check the list of TLS/SSL protocols supported by the site. To do this, use the online SSL checker service https://www.ssllabs.com/ssltest/analyze.html?d=domain.com (replace domain.com with the address of the site you want to check).

Check if all TLS/SSL versions supported by the website are available in your browser.

In this example, you can see that the site doesn’t support TLS 3.1, SSL 3.0, and SSL 2.0. Also, compare the Cipher Suite list.

If the encryption method is not supported by your browser, you may need to enable it in Windows.

If the website doesn’t support the SSL protocols that the client requires, you will see the error “This site cannot provide a secure connection” in your browser when connecting to an HTTPS-enabled website.

Enable Support for Legacy TLS/SSL Protocols

And the last thing – it may happen that it is enough to enable legacy TLS and SSL protocol support to solve the problem. In most cases, it is the most effective, but I moved this item to the end of the article deliberately. I’ll explain why.

The outdated TLS and SSL protocol versions are disabled not just because the developers want it. It is due to a large number of vulnerabilities that allow hackers to capture your data in the HTTPS traffic or even modify them. Enabling these legacy protocols thoughtlessly affects your security on the Internet, so you shouldn’t use this method unless anything else can help.

If the webserver (site) uses an older version of the SSL/TLS protocol than is supported by your client (browser), the user will see an error when establishing a secure connection ERR_SSL_VERSION_OR_CIPHER_MISMATCH. This error appears if the client during the TLS Handshake stage has detected that the site uses an encryption protocol or key length that is not supported by your browser. Above we showed how to determine the set of protocols and ciphers supported by the server.

To allow legacy versions of the SSL/TLS protocols to be used on Windows (please, again note that it is insecure!):

1. Open Control Panel -> Internet Options;
2. Go to the Advanced tab;
3. Enable TLS 1.0, TLS 1.1 and TLS 1.2 (if it doesn’t help, enable SSL 3.0, 2.0 as well);
4. Restart your browser.

If neither of these methods helped to get rid of the error “This site can’t provide a secure connection”, try the following:

• Make sure that there are no static records in the file C:\Windows\System32\drivers\etc\hostThe hosts file can be used in Windows, among other things, to block access to domains and websites: Get-Content $env:SystemRoot\System32\Drivers\etc\hosts;
• Try using a public DNS server, such as Google’s DNS servers. In the network connection settings, specify the IP address 8.8.8.8 as the preferred DNS server address;
• In the Control Panel -> Internet Options, make sure that the security level for the Internet zone is Medium-high or Medium. If High is selected, some SSL connections may be blocked by your browser;
• Perhaps the problem is related to the site certificate. Check it using an online SSL Checker;
• If your computer is using a VPN or a proxy server is configured in Windows settings, try disabling them;
• Make sure TLS 1.3 is enabled in Chrome. Go to the settings section (chrome://flags) in the address bar. Search for the TLS 1.3 option. Make sure that it is set to Enabled or Default. If it is disabled, enable it;
• If you are using one of the legacy OS versions (Windows XP or Windows 7), install the Mozilla Firefox browser instead of Chrome. Unlike Chromium-based engines, Firefox uses its own implementation modules for the SSL/TLS encryption protocols rather than those built into Windows.