ERR_SSL_Version_OR_Cipper_Mistach error
search cancel

ERR_SSL_Version_OR_Cipper_Mistach error


Article ID: 253723


Updated On:


ProxySG Software - SGOS


The following URl is not accessible via proxy . It's working fine when bypassed.

See the error received, below, when being intercepted via the Proxy. use an unsupported protocol





Release :


Having investigated the uploaded log data, we see the below.

From the PCAP, we see that the transaction repeatedly failed because of the FATAL TLS error, triggered by the attempted TLS handshake by the destination host (, using TLS 1.0. The Proxy sent the Client Hello using TLS 1.2, which is recommended. Please see the snippet below, for further details.

This is the reason for the reported "ERR_SSL_Version_OR_Cipper_Mistach" error. The issue is caused by the destination host, (, not attempting the TLS handshake with the same TLS protocol version, leading the the mismatch reported. The ciphers from TLS 1.0 and TLS 1.2 are not the same.


ProxySg Forward Proxy service is designed to follow the same SSL parameters for upstream and downstream. It can’t have 2 separate sessions as per the requirement. It can’t really upscale/downscale the SSL.

It's strongly recommended to not enable TLS 1.0 on the ProxySG, for strong security reasons. Please refer to the Tech. Article with the URL below.


Where the reported URL cannot make TLS calls using TLS 1.2 or later, we recommend to not intercept this request (only bypass). You may utilize the CPL scripts below, for the recommended bypass.

url.domain="" ssl.forward_proxy(no)  

Additionally, do not detect protocol, for this URL. To do this as an exception rule you will need to add a CPL layer, or modify the Local Policy on your ProxySG with a rule based on the source or destination: For example:

<proxy> detect_protocol (none)

By destination IP Address
url.address= detect_protocol (none)

By User Agent(Not all applications report a User-Agent so this may not be an option for all scenarios):

User-Agent="application-sepcific-agent-name" detect_protocol (none)

Ref. docs.:

Additional doc.: