A website can’t function properly without an SSL certificate. If you don’t have one installed on your server, browsers will flag that your connection is not secure. The thing with SSL certificates is that they provide unbreakable encryption but are prone to various errors related to technical mishaps or faulty configuration.
A common issue that plagues users is the SSL Handshake Failed error. In this guide, we’ll explain what it is and how to fix the Cloudflare error 525. But first things first, let’s see what the SSL Handshake is.
What is an SSL Handshake?
Without going deeper into how SSL certificates work, the SSL handshake is the first step in establishing a secure HTTPS connection between browsers and web servers. When you load a website in your browser, the latter sends a request for an encrypted connection to the server.
The process occurs in the background in a matter of milliseconds. For the connection to be successful, both your browser and the website’s server must pass a series of checks such as the version of the SSL certificate, the cipher suites that will encrypt communication, etc.
Without the SSL handshake, browsers can’t establish an HTTPS connection with the servers. It’s a critical part that can go wrong for various reasons. Let’s see why sometimes the SSL Handshake fails.
What causes the SSL Handshake failure?
When the SSL handshake fails, it means the browser and servers couldn’t initiate a secure connection. In our instance, error 525 indicates that the SSL handshake between a domain using the Cloudflare CDN (Content Delivery Network) and the origin server failed.
The tricky aspect of all SSL errors is that they can happen on the client-side or the server-side, and the user encountering the error can’t always fix it. Here are some potential causes on the client-side:
- A connection was intercepted by a third party.
- Browser configuration or version
- Wrong date and time on the client’s computer.
Below are a few server-side issues:
- A cipher suite mismatch.
- A protocol used by the client that isn’t supported by the server.
- An incomplete (a missing intermediate certificate, for example), invalid, or expired certificate.
How to fix the SSL Handshake Failed Error?
There isn’t a universal fix for this particular error as it can originate in different places. The solution is to try several methods until you resolve the issue.
Below we present a few potential quick fixes.
1. Check the validity of your SSL Certificate
SSL certificates are valid for one year. If you don’t renew them before the expiry date, browsers won’t be able to establish the SSL handshake and will mark your website as not secure.
Renewing an SSL cert is similar to requesting a new one. You must submit a CSR (Certificate Signing Request) to the CA and pass the verification process. To check the status of your certificate, click the padlock icon next to your site’s URL and inspect the Certificate details. You will see when it expires.
Alternatively, you can use a free external tool to scan your certificate for potential errors and vulnerabilities. A deep scan can reveal other potential issues within your configuration. If your certificate is not valid anymore or has been revoked, renewing it should fix the problem.
2. Ensure your server supports SNI
SNI stands for Server Name Indication, an extension of the TLS (Transport Layer Security) protocol. It’s part of the SSL handshake process and ensures that client devices can see the correct SSL certificate for the website they are trying to reach. The SNI allows a web server to host several TLS certificates for one IP address.
Non-technical users can use the same SSL tool we mentioned for the previous fixing method to see whether a website requires SNI or not. If it says that “your site works only in browsers with SNI support,” you should contact your hosting provider for support.
A more technical way is to use the Open SSL utility tool and check the extended hello header for a ‘server_name’ field to see if the correct certificates are shown. You can use openssl s_client with and without the -servername option:
$ openssl s_client -connect host:port
$ openssl s_client -connect host:port -servername host
If the output is two different certificates with the same name, the SNI is enabled, and the culprit of the SSL handshake failure is somewhere else. However, if the call without SNI cannot establish an SSL connection, the SNI is either disabled or not configured properly. To fix this issue, you may change your server or switch to a dedicated IP address.
3. Ensure the Cipher Suites Match
An SSL cipher, or an SSL cipher suite, is a set of algorithms or instructions that helps browsers and web servers connect securely to each other. A cipher mismatch occurs when the browser cannot establish a secure connection with a web server that uses HTTPS and SSL. In our case, the cipher suites your server uses don’t support or match what’s used by Cloudflare resulting in the ‘SSL Handshake Failed Error.’
One possible cause of cipher mismatch might be the now-deprecated RC4 cipher suite. It was removed in Chrome version 48 but may still appear in larger enterprise systems, which notably take longer to upgrade.
To check what ciphers may be causing the problem, we recommend the QualySSL’s server test. Just run a quick scan and look for the cipher details under the Cipher Suites section. If some ciphers have the “WEAK’ label, you might need to replace them or try the solutions we’ve already provided in this guide.
4. Update the date and time on your machine
If the date and time on your computer don’t synchronize with the global Internet time server, your browser may display the ‘SSL Handshake Failed Error.’ Here’s how to update your date and time:
- Click the Windows Key and go to the Control Panel
- Select Clock and Region
- Under Date and Time select Set the time and date
- Open the Internet Time tab
- If your computer isn’t set to automatically synchronize on a scheduled basis, click Change settings, and check the Synchronize with an Internet time server checkbox.
If you’re using Mac:
- Select Apple menu > System Preferences, then click Date & Time.
- Click the lock icon in the corner of the window, then enter your administrator password to unlock the settings.
- In the Date & Time pane, ensure that Set date and time automatically is selected and your Mac is connected to the internet.
SSL errors are not a pretty sight, and to make things worse, it may take you a while to pinpoint the reason triggering them. In this regard, the ‘SSL Handshake Failure’ error is not an exception. To fix it, you need to investigate your SSL certificate for potential vulnerabilities via an SSL scanner tool and try one of the methods outlined in this guide. For more SSL error troubleshooting, check our detailed tutorials about fixing different SSL errors.
If you find any inaccuracies, or you have details to add to this SSL tutorial, please feel free to send us your feedback at [email protected] Your input would be greatly appreciated! Thank you.
Internet illustrations by Storyset