4 months ago
Hi, I'm having some trouble when it comes to accessing my site from mobile data...
Custom domain: fantasy4.co.uk
Works on WiFi/desktop, fails on mobile data
Error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Using Cloudflare with proxy enabled, SSL mode set to "Full"
Railway shows "Cloudflare proxy detected" and "Setup complete"
Already tried: removing/re-adding domain, purging cache, waiting 12+ hours
Any ideas? Thanks.
Attachments
10 Replies
4 months ago
Hey there! We've found the following might help you get unblocked faster:
If you find the answer from one of these, please let us know by solving the thread!
4 months ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open brody • 4 months ago
4 months ago
Yo, basically, your site is fine, but some mobile carriers have these trash middleboxes/firewalls that freak out when they see TLS 1.3 or HTTP/3. They just drop the connection or corrupt the handshake, which is why you get that annoying SSL mismatch error on data but everything works smooth on WiFi.
The fix is easy though:
1 hop into your Cloudflare dashboard.
2 go to SSL/TLS > Edge Certificates.
3 scroll down to Minimum TLS Version.
4 change it to TLS 1.2.
Don't force it to 1.3. Setting it to 1.2 lets the buggy mobile networks fall back to an older standard they can actually handle.
4 months ago
also in the same dashboard → Network tab → turn off HTTP/3 (with QUIC), this stops Chrome from trying QUIC first on mobile data (many carriers throttle or break UDP/443, which causes the ERR_QUIC_PROTOCOL_ERROR you saw in one screenshot)
After making these two changes: purge cache (Caching → Purge Everything) and wait 1 to 2 minutes and test again on mobile data.
Give that a shot and tell me if it works .
bytekeim
Yo, basically, your site is fine, but some mobile carriers have these trash middleboxes/firewalls that freak out when they see TLS 1.3 or HTTP/3. They just drop the connection or corrupt the handshake, which is why you get that annoying SSL mismatch error on data but everything works smooth on WiFi.The fix is easy though:1 hop into your Cloudflare dashboard.2 go to SSL/TLS > Edge Certificates.3 scroll down to Minimum TLS Version.4 change it to TLS 1.2.Don't force it to 1.3. Setting it to 1.2 lets the buggy mobile networks fall back to an older standard they can actually handle.
4 months ago
Hi, thanks for helping.
I did the first thing you told me (changed to 1.2, was on 1.0).
I can't find the turn off HTTP/3 option in network? Am I being dumb?
Either way the first change did not appear to work :(
Attachments
4 months ago
try this for Onion Routing (i saw that it is on in joined picture) toggle it OFF, then on the mobile device, clear the browser's cache and cookies. and Force-close the browser and reopen it.
i hope it works :)
4 months ago
Turned Onion Routing off and still no luck 
Thanks for trying to help though!
4 months ago
You're not dealing with a Railway issue here — the app loads fine everywhere except on mobile data, which means the TLS handshake is being broken before it even reaches Railway.
Several UK and Indian mobile ISPs (Three, Vodafone, GiffGaff, Airtel, Jio, etc.) use DPI/MITM proxies that intercept TLS and fail to negotiate modern Cloudflare edge certificates. When that happens, Chrome reports:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
This is not caused by Cloudflare TLS version, HTTP/3, onion routing, or caching. It’s the ISP rewriting or injecting TLS and failing the handshake.
Here are the fixes that reliably solve this:
### 
1. Enable “Authenticated Origin Pulls” (Cloudflare → SSL/TLS → Origin Server)
This prevents the ISP from rewriting Cloudflare's certificate and forces a clean TLS handshake.
### 2. Disable “Automatic HTTPS Rewrites”
Some ISPs break the redirect chain, causing mismatched ciphers.
### 3. Create a new subdomain (ex. www.fantasy4.co.uk)
ISPs often cache or filter apex domains differently. Subdomains bypass their broken DNS cache.
### Optional (but helps):
- Disable HTTP/3, Early Hints and 0-RTT (ISPs drop or mangle UDP/443)
- Purge Cloudflare cache afterward
After applying these, mobile data connections should start working again within 10–15 minutes.
Let me know if you want me to walk you through each setting step by step.
best kamkara!
4 months ago
Thanks for your advice. Unfortunately none of these changes worked.
What really confuses me is a friend tested it on the same mobile network provider as me (EE UK) and they could access it fine from mobile data, yet me and my partner (both on EE) can still not access it.
He could access the site before todays changes.
fantasy4app
Thanks for your advice. Unfortunately none of these changes worked.What really confuses me is a friend tested it on the same mobile network provider as me (EE UK) and they could access it fine from mobile data, yet me and my partner (both on EE) can still not access it.He could access the site before todays changes.
3 months ago
This isn’t a Railway issue — your app loads fine on WiFi/desktops, which means the TLS handshake only fails when traffic goes through your mobile carrier. UK/IN mobile ISPs (O2, Vodafone, Three, GiffGaff, Airtel, Jio, etc.) are known to break Cloudflare TLS by blocking QUIC/UDP or rewriting SNI during the handshake, which produces exactly the errors you showed:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
ERR_QUIC_PROTOCOL_ERROR
Here’s what actually fixes it:
### 1. Disable QUIC/HTTP3 + 0-RTT + Early Hints
Cloudflare → Network → turn OFF:
- HTTP/3 (QUIC)
- 0-RTT
- Early Hints
Mobile carriers drop UDP/443, so Chrome’s QUIC attempt fails before TLS even starts.
### 2. Keep TLS 1.2 as minimum but allow fallback
Cloudflare → SSL/TLS → Edge Certificates
- Minimum TLS: 1.2
- TLS 1.3: ON
- Disable “modern only” restrictions if enabled
### 3. Create and use a subdomain
Many carriers aggressively cache/filter apex .co.uk domains.
Create for example:
app.fantasy4.co.uk
Point it as:
CNAME app → fantasy4.co.uk (proxied)
Then set this subdomain as your Railway domain.
This bypasses the carrier’s broken DNS/TLS path and usually works instantly.
Give these three a try — this combo fixes the exact symptoms you’re seeing on mobile data.
kamkara
This isn’t a Railway issue — your app loads fine on WiFi/desktops, which means the TLS handshake only fails when traffic goes through your mobile carrier. UK/IN mobile ISPs (O2, Vodafone, Three, GiffGaff, Airtel, Jio, etc.) are known to break Cloudflare TLS by blocking QUIC/UDP or rewriting SNI during the handshake, which produces exactly the errors you showed:ERR_SSL_VERSION_OR_CIPHER_MISMATCHERR_QUIC_PROTOCOL_ERRORHere’s what actually fixes it:### 1. Disable QUIC/HTTP3 + 0-RTT + Early HintsCloudflare → Network → turn OFF:- HTTP/3 (QUIC)- 0-RTT- Early HintsMobile carriers drop UDP/443, so Chrome’s QUIC attempt fails before TLS even starts.### 2. Keep TLS 1.2 as minimum but allow fallbackCloudflare → SSL/TLS → Edge Certificates- Minimum TLS: 1.2- TLS 1.3: ON- Disable “modern only” restrictions if enabled### 3. Create and use a subdomainMany carriers aggressively cache/filter apex .co.uk domains.Create for example:app.fantasy4.co.ukPoint it as:CNAME app → fantasy4.co.uk (proxied)Then set this subdomain as your Railway domain.This bypasses the carrier’s broken DNS/TLS path and usually works instantly.Give these three a try — this combo fixes the exact symptoms you’re seeing on mobile data.
3 months ago