Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Wrong TLS version

Author: Government Digital Service

Wrong TLS version

What this means

A “TLS error: wrong version number” is a mismatch between the TLS (Transport Layer Security) versions supported by the client and the server. 

This can happen if the client tries to use HTTPS on an HTTP-only server, or if either the client or server is using an outdated or unsupported protocol version.

Other causes include misconfigured ports for encrypted connections, client or server clock desynchronization, or a poorly configured server that does not properly respond to the initial TLS handshake. 

Why this is a problem

TLS connection mismatch is when a client initiates a communication attempt using a TLS version that your server does not support, the server will end the connection attempt. 

How to check if the problem is there

Open a browser and attempt connection to website – a TLS error will appear.

An administrator can check for TLS errors using a:

  • CURL tool to check
  • certutil tool from a Windows PC to check the certificate status

Use the CURL tool to check

Test connection with a given TLS version.

curl -v https://yourwebsite.gov.uk --tlsv1.0

Test with a given CipherSuite and TLS version

curl -v https://yourwebsite.gov.uk --ciphers ECDHE-RSA-NULL-SHA --tlsv1.2

Use the certutil tool from a Windows PC to check

certutil -verify -urlfetch <client cert file path>

How to fix this

To resolve this issue, an administrator should make sure that:

  • their site supports the latest TLS protocols (e.g. TLS 1.2 and 1.3) and strong cipher suites
  • they verify that the certificate chain is complete and properly installed
  • the server’s SNI configuration matches the certificate’s CN and hostnames

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now