Uses an unsupported protocol err ssl version or cipher mismatch

BlogDocsGet SupportContact SalesFeatured ProductsDropletsScalable virtual machinesKubernetesScale more effectivelyAI / MLBuild and scale AI modelsCloudwaysManaged cloud hostingApp PlatformGet apps to market fasterSee all productsOur CommunityCommunity HomeDevOps and development guidesCSS-TricksAll things web designThe WaveContent to level up your business.ResourcesTutorialsQuestions and AnswersMarketplaceToolsWrite for DOnationsCloud ChatsCustomer StoriesDigitalOcean BlogPricing CalculatorDigitalOcean Partner ProgramsBecome a PartnerPartner Services ProgramMarketplaceHatch Partner ProgramConnect with a PartnerFeatured Partner ArticlesCloud cost optimization best practicesRead moreHow to choose a cloud providerRead moreDigitalOcean vs. AWS Lightsail: Which Cloud Platform is Right for You?Read morePricingBlogDocsGet SupportContact SalesTutorialsQuestionsProduct DocsCloud ChatsQuestionAfter I added a custom domain to my app, when I visit that domain it shows me a SSL version or cipher mismatch error.This site can’t provide a secure my-website.com uses an unsupported protocol.ERR_SSL_VERSION_OR_CIPHER_MISMATCHSubmit an answerThis textbox defaults to using Markdown to format your answer.You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!Sign In or Sign Up to AnswerThese answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Are configured. For example, negotiation order is the same regardless of whether tls_version has a value of TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 or TLSv1.3,TLSv1.2,TLSv1.1,TLSv1. TLSv1.2 does not work with all ciphers that have a key size of 512 bits or less. To use this protocol with such a key, set the ssl_cipher system variable on the server side or use the --ssl-cipher client option to specify the cipher name explicitly: AES128-SHAAES128-SHA256AES256-SHAAES256-SHA256CAMELLIA128-SHACAMELLIA256-SHADES-CBC3-SHADHE-RSA-AES256-SHARC4-MD5RC4-SHASEED-SHA For better security, use a certificate with an RSA key size of at least 2048 bits. If the server and client do not have a permitted protocol in common, and a protocol-compatible cipher in common, the server terminates the connection request. Examples: If the server is configured with tls_version=TLSv1.1,TLSv1.2: Connection attempts fail for clients invoked with --tls-version=TLSv1, and for older clients that support only TLSv1. Similarly, connection attempts fail for replicas configured with MASTER_TLS_VERSION = 'TLSv1', and for older replicas that support only TLSv1. If the server is configured with tls_version=TLSv1 or is an older server that supports only TLSv1: Connection attempts fail for clients invoked with --tls-version=TLSv1.1,TLSv1.2. Similarly, connection attempts fail for replicas configured with MASTER_TLS_VERSION = 'TLSv1.1,TLSv1.2'. MySQL permits specifying a list of protocols to support. This list is passed directly down to the underlying SSL library and is ultimately up to that library what protocols it actually enables from the supplied list. Please refer to the MySQL source code and the OpenSSL SSL_CTX_new() documentation for information about how the SSL library handles this.Monitoring Current Client Session TLS Protocol and Cipher To determine which encryption TLS protocol and cipher the current client session uses, check the session values of the Ssl_version and Ssl_cipher status variables: mysql> SELECT * FROM performance_schema.session_status WHERE VARIABLE_NAME IN ('Ssl_version','Ssl_cipher');+---------------+---------------------------+| VARIABLE_NAME | VARIABLE_VALUE |+---------------+---------------------------+| Ssl_cipher | DHE-RSA-AES128-GCM-SHA256 || Ssl_version | TLSv1.2 |+---------------+---------------------------+ If the connection is not

Connections that use TLS.v1.3, MySQL uses the SSL library default ciphersuite list. For encrypted connections that use TLS protocols up through TLSv1.2, MySQL passes the following default cipher list to the SSL library. ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-CHACHA20-POLY1305ECDHE-ECDSA-AES256-CCMECDHE-ECDSA-AES128-CCMDHE-RSA-AES128-GCM-SHA256DHE-RSA-AES256-GCM-SHA384DHE-RSA-AES256-CCMDHE-RSA-AES128-CCMDHE-RSA-CHACHA20-POLY1305 These cipher restrictions are in place: As of MySQL 8.0.35, the following ciphers are deprecated and produce a warning when used with the server system variables --ssl-cipher and --admin-ssl-cipher: ECDHE-ECDSA-AES128-SHA256ECDHE-RSA-AES128-SHA256ECDHE-ECDSA-AES256-SHA384ECDHE-RSA-AES256-SHA384DHE-DSS-AES128-GCM-SHA256DHE-RSA-AES128-SHA256DHE-DSS-AES128-SHA256DHE-DSS-AES256-GCM-SHA384DHE-RSA-AES256-SHA256DHE-DSS-AES256-SHA256ECDHE-RSA-AES128-SHAECDHE-ECDSA-AES128-SHAECDHE-RSA-AES256-SHAECDHE-ECDSA-AES256-SHADHE-DSS-AES128-SHADHE-RSA-AES128-SHATLS_DHE_DSS_WITH_AES_256_CBC_SHADHE-RSA-AES256-SHAAES128-GCM-SHA256DH-DSS-AES128-GCM-SHA256ECDH-ECDSA-AES128-GCM-SHA256AES256-GCM-SHA384DH-DSS-AES256-GCM-SHA384ECDH-ECDSA-AES256-GCM-SHA384AES128-SHA256DH-DSS-AES128-SHA256ECDH-ECDSA-AES128-SHA256AES256-SHA256DH-DSS-AES256-SHA256ECDH-ECDSA-AES256-SHA384AES128-SHADH-DSS-AES128-SHAECDH-ECDSA-AES128-SHAAES256-SHADH-DSS-AES256-SHAECDH-ECDSA-AES256-SHADH-RSA-AES128-GCM-SHA256ECDH-RSA-AES128-GCM-SHA256DH-RSA-AES256-GCM-SHA384ECDH-RSA-AES256-GCM-SHA384DH-RSA-AES128-SHA256ECDH-RSA-AES128-SHA256DH-RSA-AES256-SHA256ECDH-RSA-AES256-SHA384ECDHE-RSA-AES128-SHAECDHE-ECDSA-AES128-SHAECDHE-RSA-AES256-SHAECDHE-ECDSA-AES256-SHADHE-DSS-AES128-SHADHE-RSA-AES128-SHATLS_DHE_DSS_WITH_AES_256_CBC_SHADHE-RSA-AES256-SHAAES128-SHADH-DSS-AES128-SHAECDH-ECDSA-AES128-SHAAES256-SHADH-DSS-AES256-SHAECDH-ECDSA-AES256-SHADH-RSA-AES128-SHAECDH-RSA-AES128-SHADH-RSA-AES256-SHAECDH-RSA-AES256-SHADES-CBC3-SHA The following ciphers are permanently restricted: !DHE-DSS-DES-CBC3-SHA!DHE-RSA-DES-CBC3-SHA!ECDH-RSA-DES-CBC3-SHA!ECDH-ECDSA-DES-CBC3-SHA!ECDHE-RSA-DES-CBC3-SHA!ECDHE-ECDSA-DES-CBC3-SHA The following categories of ciphers are permanently restricted: !aNULL!eNULL!EXPORT!LOW!MD5!DES!RC2!RC4!PSK!SSLv3 If the server is started with the ssl_cert system variable set to a certificate that uses any of the preceding restricted ciphers or cipher categories, the server starts with support for encrypted connections disabled.Connection TLS Protocol Negotiation Connection attempts in MySQL negotiate use of the highest TLS protocol version available on both sides for which a protocol-compatible encryption cipher is available on both sides. The negotiation process depends on factors such as the SSL library used to compile the server and client, the TLS protocol and encryption cipher configuration, and which key size is used: For a connection attempt to succeed, the server and client TLS protocol configuration must permit some protocol in common. Similarly, the server and client encryption cipher configuration must permit some cipher in common. A given cipher may work only with particular TLS protocols, so a protocol available to the negotiation process is not chosen unless there is also a compatible cipher. If TLSv1.3 is available, it is used if possible. (This means that server and client configuration both must permit TLSv1.3, and both must also permit some TLSv1.3-compatible encryption cipher.) Otherwise, MySQL continues through the list of available protocols, using TLSv1.2 if possible, and so forth. Negotiation proceeds from more secure protocols to less secure. Negotiation order is independent of the order in which protocols