From f53af55c36f1d2f762fb209d0221050fb5705ad3 Mon Sep 17 00:00:00 2001 From: Nicolas Gayerie Date: Tue, 19 May 2026 17:08:01 +0200 Subject: [PATCH 1/2] Add ERR_SSL_PROTOCOL_ERROR troubleshooting page New page covering: - Disabling HTTP/3 for QUIC/UDP issues - Disabling TLS 1.3 for compatibility issues - ISP and network interference (DPI, SSL inspection, content filters) - Quick checklist for common causes Addresses SPM-3552 --- .../ssl/troubleshooting/connection-resets.mdx | 111 ++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 src/content/docs/ssl/troubleshooting/connection-resets.mdx diff --git a/src/content/docs/ssl/troubleshooting/connection-resets.mdx b/src/content/docs/ssl/troubleshooting/connection-resets.mdx new file mode 100644 index 000000000000000..dcdd8a812aa3e9c --- /dev/null +++ b/src/content/docs/ssl/troubleshooting/connection-resets.mdx @@ -0,0 +1,111 @@ +--- +title: ERR_SSL_PROTOCOL_ERROR +pcx_content_type: troubleshooting +products: + - ssl +sidebar: + order: 3 +head: + - tag: title + content: Troubleshoot ERR_SSL_PROTOCOL_ERROR +description: Learn how to troubleshoot ERR_SSL_PROTOCOL_ERROR and similar SSL/TLS protocol errors when using Cloudflare. +--- + +import { DashButton } from "~/components"; + +If visitors to your site experience SSL protocol errors such as: + +- `ERR_SSL_PROTOCOL_ERROR` (Chrome) +- `Secure Connection Failed` or `PR_END_OF_FILE_ERROR` (Firefox) +- `Safari can't open the page because it couldn't establish a secure connection to the server` (Safari) + +These errors can occur when something between the visitor and Cloudflare interferes with the SSL/TLS handshake. Common causes include protocol incompatibilities with HTTP/3 or TLS 1.3, or interference from ISP security features. + +## Quick checklist + +Use this checklist to identify common causes: + +- [ ] [Disable HTTP/3](#disable-http3) - Some networks or devices have issues with QUIC/HTTP/3 +- [ ] [Disable TLS 1.3](#disable-tls-13) - Older security software may interfere with TLS 1.3 +- [ ] [Check for ISP or network interference](#isp-and-network-interference) - Security features on the network path can interfere with SSL/TLS + +--- + +## Disable HTTP/3 + +HTTP/3 uses the QUIC protocol over UDP, which some networks, firewalls, or devices do not fully support. If visitors experience intermittent SSL protocol errors, try disabling HTTP/3. + +### How to disable HTTP/3 + +1. +2. Turn off **HTTP/3 (with QUIC)**. + +### When to suspect HTTP/3 issues + +- Errors occur intermittently, not on every request +- The issue affects only some visitors (often those on corporate networks or certain ISPs) +- Visitors report the site works after refreshing multiple times +- The issue does not occur when using a VPN + +If disabling HTTP/3 resolves the issue, the visitor's network likely blocks or mishandles UDP traffic on port 443. + +--- + +## Disable TLS 1.3 + +TLS 1.3 is the latest version of the TLS protocol and is enabled by default on Cloudflare. However, some older security software, firewalls, or network inspection devices may not fully support TLS 1.3 and can cause SSL protocol errors. + +### How to disable TLS 1.3 + +1. +2. Find **TLS 1.3** and turn it off. + +### When to suspect TLS 1.3 issues + +- Visitors using corporate networks with SSL inspection report connection issues +- The issue affects visitors using older operating systems or browsers +- Antivirus software with HTTPS scanning is installed on the visitor's device +- The error occurs consistently for specific visitors but not others + +--- + +## ISP and network interference + +Some Internet Service Providers (ISPs) and corporate networks deploy security features that can interfere with HTTPS connections. These include: + +- **Deep packet inspection (DPI)** - Inspects encrypted traffic and may interfere with connections it cannot analyze +- **SSL/TLS interception proxies** - Intercept and re-encrypt traffic, which can fail with newer protocols +- **Parental controls or content filters** - May block or interfere with connections to certain sites +- **Carrier-grade NAT (CGNAT)** - Can cause connection issues, especially with UDP-based protocols like QUIC + +### How to identify ISP interference + +Ask the affected visitor to: + +1. **Try a different network** - Use mobile data instead of Wi-Fi, or try a different ISP +2. **Use a VPN** - If the site works through a VPN, the ISP or local network is likely interfering +3. **Check with their ISP** - Some ISPs have security features that can be disabled upon request +4. **Disable local security software** - Temporarily disable antivirus or firewall software to test + +### If ISP interference is confirmed + +If the issue is caused by the visitor's ISP or network: + +- The visitor may need to contact their ISP to whitelist the domain or disable specific security features +- For corporate networks, the IT department may need to update firewall or proxy rules +- As a site owner, you have limited options since the interference occurs outside of Cloudflare + +--- + +## Additional troubleshooting + +If the above steps do not resolve the issue: + +1. **Check Cloudflare Status** - Visit [cloudflarestatus.com](https://www.cloudflarestatus.com/) to see if there are any ongoing incidents +2. **Test from multiple locations** - Use tools like [Uptrends](https://www.uptrends.com/tools/uptime-checker) to test connectivity from different geographic locations +3. **Collect diagnostic information** - Ask affected visitors to provide: + - Their IP address (from [whatismyipaddress.com](https://whatismyipaddress.com/)) + - The exact error message and browser version + - Whether the issue occurs on other devices or networks + +If the issue persists and affects many visitors, [contact Cloudflare Support](/support/contacting-cloudflare-support/) with the diagnostic information collected. From c5f31c5af131fb6de15f61500279be86ae5c84d4 Mon Sep 17 00:00:00 2001 From: Nicolas Gayerie Date: Wed, 20 May 2026 00:42:53 +0200 Subject: [PATCH 2/2] Rewrite ERR_SSL_PROTOCOL_ERROR troubleshooting page - Rename file to err-ssl-protocol-error.mdx (matches error name convention) - Fix DashButton props (url instead of path/label) - Quote description in frontmatter - Frame disabling HTTP/3 and TLS 1.3 as diagnostic tests, not permanent fixes - Add caution about security implications of disabling TLS 1.3 - Add cross-references to other common causes (certificate activation, multi-level subdomains, cipher suites) - Replace third-party tools with Cloudflare's /cdn-cgi/trace - Change 'whitelist' to 'allowlist' - Add descriptive text before DashButton components Addresses SPM-3552 --- .../ssl/troubleshooting/connection-resets.mdx | 111 --------------- .../err-ssl-protocol-error.mdx | 130 ++++++++++++++++++ 2 files changed, 130 insertions(+), 111 deletions(-) delete mode 100644 src/content/docs/ssl/troubleshooting/connection-resets.mdx create mode 100644 src/content/docs/ssl/troubleshooting/err-ssl-protocol-error.mdx diff --git a/src/content/docs/ssl/troubleshooting/connection-resets.mdx b/src/content/docs/ssl/troubleshooting/connection-resets.mdx deleted file mode 100644 index dcdd8a812aa3e9c..000000000000000 --- a/src/content/docs/ssl/troubleshooting/connection-resets.mdx +++ /dev/null @@ -1,111 +0,0 @@ ---- -title: ERR_SSL_PROTOCOL_ERROR -pcx_content_type: troubleshooting -products: - - ssl -sidebar: - order: 3 -head: - - tag: title - content: Troubleshoot ERR_SSL_PROTOCOL_ERROR -description: Learn how to troubleshoot ERR_SSL_PROTOCOL_ERROR and similar SSL/TLS protocol errors when using Cloudflare. ---- - -import { DashButton } from "~/components"; - -If visitors to your site experience SSL protocol errors such as: - -- `ERR_SSL_PROTOCOL_ERROR` (Chrome) -- `Secure Connection Failed` or `PR_END_OF_FILE_ERROR` (Firefox) -- `Safari can't open the page because it couldn't establish a secure connection to the server` (Safari) - -These errors can occur when something between the visitor and Cloudflare interferes with the SSL/TLS handshake. Common causes include protocol incompatibilities with HTTP/3 or TLS 1.3, or interference from ISP security features. - -## Quick checklist - -Use this checklist to identify common causes: - -- [ ] [Disable HTTP/3](#disable-http3) - Some networks or devices have issues with QUIC/HTTP/3 -- [ ] [Disable TLS 1.3](#disable-tls-13) - Older security software may interfere with TLS 1.3 -- [ ] [Check for ISP or network interference](#isp-and-network-interference) - Security features on the network path can interfere with SSL/TLS - ---- - -## Disable HTTP/3 - -HTTP/3 uses the QUIC protocol over UDP, which some networks, firewalls, or devices do not fully support. If visitors experience intermittent SSL protocol errors, try disabling HTTP/3. - -### How to disable HTTP/3 - -1. -2. Turn off **HTTP/3 (with QUIC)**. - -### When to suspect HTTP/3 issues - -- Errors occur intermittently, not on every request -- The issue affects only some visitors (often those on corporate networks or certain ISPs) -- Visitors report the site works after refreshing multiple times -- The issue does not occur when using a VPN - -If disabling HTTP/3 resolves the issue, the visitor's network likely blocks or mishandles UDP traffic on port 443. - ---- - -## Disable TLS 1.3 - -TLS 1.3 is the latest version of the TLS protocol and is enabled by default on Cloudflare. However, some older security software, firewalls, or network inspection devices may not fully support TLS 1.3 and can cause SSL protocol errors. - -### How to disable TLS 1.3 - -1. -2. Find **TLS 1.3** and turn it off. - -### When to suspect TLS 1.3 issues - -- Visitors using corporate networks with SSL inspection report connection issues -- The issue affects visitors using older operating systems or browsers -- Antivirus software with HTTPS scanning is installed on the visitor's device -- The error occurs consistently for specific visitors but not others - ---- - -## ISP and network interference - -Some Internet Service Providers (ISPs) and corporate networks deploy security features that can interfere with HTTPS connections. These include: - -- **Deep packet inspection (DPI)** - Inspects encrypted traffic and may interfere with connections it cannot analyze -- **SSL/TLS interception proxies** - Intercept and re-encrypt traffic, which can fail with newer protocols -- **Parental controls or content filters** - May block or interfere with connections to certain sites -- **Carrier-grade NAT (CGNAT)** - Can cause connection issues, especially with UDP-based protocols like QUIC - -### How to identify ISP interference - -Ask the affected visitor to: - -1. **Try a different network** - Use mobile data instead of Wi-Fi, or try a different ISP -2. **Use a VPN** - If the site works through a VPN, the ISP or local network is likely interfering -3. **Check with their ISP** - Some ISPs have security features that can be disabled upon request -4. **Disable local security software** - Temporarily disable antivirus or firewall software to test - -### If ISP interference is confirmed - -If the issue is caused by the visitor's ISP or network: - -- The visitor may need to contact their ISP to whitelist the domain or disable specific security features -- For corporate networks, the IT department may need to update firewall or proxy rules -- As a site owner, you have limited options since the interference occurs outside of Cloudflare - ---- - -## Additional troubleshooting - -If the above steps do not resolve the issue: - -1. **Check Cloudflare Status** - Visit [cloudflarestatus.com](https://www.cloudflarestatus.com/) to see if there are any ongoing incidents -2. **Test from multiple locations** - Use tools like [Uptrends](https://www.uptrends.com/tools/uptime-checker) to test connectivity from different geographic locations -3. **Collect diagnostic information** - Ask affected visitors to provide: - - Their IP address (from [whatismyipaddress.com](https://whatismyipaddress.com/)) - - The exact error message and browser version - - Whether the issue occurs on other devices or networks - -If the issue persists and affects many visitors, [contact Cloudflare Support](/support/contacting-cloudflare-support/) with the diagnostic information collected. diff --git a/src/content/docs/ssl/troubleshooting/err-ssl-protocol-error.mdx b/src/content/docs/ssl/troubleshooting/err-ssl-protocol-error.mdx new file mode 100644 index 000000000000000..0eb2cf34920ed77 --- /dev/null +++ b/src/content/docs/ssl/troubleshooting/err-ssl-protocol-error.mdx @@ -0,0 +1,130 @@ +--- +title: ERR_SSL_PROTOCOL_ERROR +pcx_content_type: troubleshooting +products: + - ssl +sidebar: + order: 3 +head: + - tag: title + content: Troubleshoot ERR_SSL_PROTOCOL_ERROR +description: "Learn how to troubleshoot ERR_SSL_PROTOCOL_ERROR and similar SSL/TLS protocol errors when using Cloudflare." +--- + +import { DashButton } from "~/components"; + +If visitors to your site experience SSL protocol errors such as: + +- `ERR_SSL_PROTOCOL_ERROR` (Chrome) +- `Secure Connection Failed` or `PR_END_OF_FILE_ERROR` (Firefox) +- `Safari can't open the page because it couldn't establish a secure connection to the server` (Safari) + +These errors indicate that the SSL/TLS handshake failed. This can happen for many reasons, including certificate issues, protocol incompatibilities, or network interference. + +## Rule out common causes first + +Before investigating protocol-specific issues, verify that the error is not caused by: + +- **Certificate not yet active** - If you recently added your domain, wait for your [Universal SSL certificate to activate](/ssl/edge-certificates/universal-ssl/troubleshooting/). +- **Multi-level subdomain not covered** - Universal SSL only covers one level of subdomains. Refer to [ERR_SSL_VERSION_OR_CIPHER_MISMATCH](/ssl/troubleshooting/version-cipher-mismatch/#multi-level-subdomains) for solutions. +- **Cipher suite mismatch** - Older clients may not support modern cipher suites. Refer to [cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/) for configuration options. + +--- + +## Test HTTP/3 (QUIC) compatibility + +HTTP/3 uses the QUIC protocol over UDP, which some networks, firewalls, or devices do not fully support. If visitors experience intermittent SSL protocol errors, HTTP/3 may be the cause. + +### When to suspect HTTP/3 issues + +- Errors occur intermittently, not on every request +- The issue affects only some visitors (often those on corporate networks or certain ISPs) +- Visitors report the site works after refreshing multiple times +- The issue does not occur when using a VPN + +### How to test + +Temporarily disable HTTP/3 to determine if it is the cause: + +1. In the Cloudflare dashboard, go to the **Protocol Optimization** page. + +2. Turn off **HTTP/3 (with QUIC)**. +3. Ask the affected visitor to test again. + +If disabling HTTP/3 resolves the issue, the visitor's network likely blocks or mishandles UDP traffic on port 443. **Re-enable HTTP/3 after testing** and work with the visitor to identify the specific network issue. + +--- + +## Test TLS 1.3 compatibility + +TLS 1.3 is the latest version of the TLS protocol and provides improved security and performance. However, some network security devices that perform SSL/TLS inspection may not fully support TLS 1.3. + +### When to suspect TLS 1.3 issues + +- Visitors using corporate networks with SSL inspection report connection issues +- Antivirus software with HTTPS scanning is installed on the visitor's device +- The error occurs consistently for specific visitors but not others + +### How to test + +:::caution +Disabling TLS 1.3 reduces security for all visitors. Only disable it temporarily for diagnostic purposes. +::: + +Temporarily disable TLS 1.3 to determine if it is the cause: + +1. In the Cloudflare dashboard, go to the **Edge Certificates** page. + +2. Find **TLS 1.3** and turn it off. +3. Ask the affected visitor to test again. + +If disabling TLS 1.3 resolves the issue, the visitor's network has a middlebox (firewall, proxy, or antivirus) that does not support TLS 1.3. **Re-enable TLS 1.3 after testing** and ask the visitor to: + +- Update their security software to a version that supports TLS 1.3 +- Contact their IT department to update network security devices +- Temporarily disable HTTPS scanning in their antivirus software + +If you cannot identify the root cause, [contact Cloudflare Support](/support/contacting-cloudflare-support/) with packet captures from the affected visitor showing the failed TLS handshake. + +--- + +## ISP and network interference + +Some Internet Service Providers (ISPs) and corporate networks deploy security features that can interfere with HTTPS connections: + +- **Deep packet inspection (DPI)** - Inspects encrypted traffic and may interfere with connections it cannot analyze +- **SSL/TLS interception proxies** - Intercept and re-encrypt traffic, which can fail with newer protocols +- **Parental controls or content filters** - May block or interfere with connections to certain sites +- **Carrier-grade NAT (CGNAT)** - Can cause connection issues, especially with UDP-based protocols like QUIC + +### How to identify network interference + +Ask the affected visitor to: + +1. **Try a different network** - Use mobile data instead of Wi-Fi, or try a different ISP +2. **Use a VPN** - If the site works through a VPN, the ISP or local network is likely interfering +3. **Disable local security software** - Temporarily disable antivirus or firewall software to test +4. **Check with their ISP** - Some ISPs have security features that can be disabled upon request + +### If network interference is confirmed + +If the issue is caused by the visitor's ISP or network: + +- The visitor may need to contact their ISP to add the domain to an allowlist or disable specific security features +- For corporate networks, the IT department may need to update firewall or proxy rules +- As a site owner, you have limited options since the interference occurs outside of Cloudflare + +--- + +## Collect diagnostic information + +If the above steps do not resolve the issue, collect the following information from affected visitors: + +1. **Cloudflare diagnostic data** - Ask the visitor to access `https://your-domain.com/cdn-cgi/trace` and share the output +2. **Exact error message** - The full error text and error code from the browser +3. **Browser and OS version** - Including any security software installed +4. **Network information** - Whether they are on a corporate network, using a VPN, or have any proxy configured + +Check [Cloudflare Status](https://www.cloudflarestatus.com/) to verify there are no ongoing incidents affecting SSL/TLS. + +If the issue persists and affects many visitors, [contact Cloudflare Support](/support/contacting-cloudflare-support/) with the diagnostic information collected.