Published on 2022-03-10
SSL Handshake is a security procedure for websites using HTTPS. Sometimes, a similar certificate called TSL is used synonymously with SSL. SSL Handshake is a verification check that must pass in order for the HTTPS connection to pass.
Thus, if SSL Handshake fails, HTTPS won’t be established, and a user may receive a “your connection is not private” warning, wherein their browser recommends against visiting the website.
SSL Handshake usually fails because of a handshake failure between Cloudflare and the web server. There are reasons that a client can get an Error 525 message due to a client/server-side error. Reasons for this can include browser settings, an expired certificate, etc.
1. Start off by updating your system’s date/time.
This is likely not the cause, but It’s an easy fix that will cause an SSL Handshake to fail on occasion.
2. Make sure your SSL certificate is within date.
These certificates often expire after several months to two years. There are many free SSL Certificate Checkers available online. Check to see the expiration date of the SSL Certificate (noted by “valid from” and “valid until”). While you’re there, check the ”Revocation status.” If your certificate is within date and not revoked, you can move on. If there’s an issue here, you may need to update your SSL certificate.
3. Update your browser to current SSL protocol support.
Switching to a different browser can serve as a test here. If SSL handshake works, you know that the browser you were using isn’t updated correctly. If there is a protocol mismatch, this needs to be corrected on your browser. If you’re using Chrome, go to settings > advanced > system > open your computer’s proxy settings.
Once you’ve opened your proxy settings, click Advanced. In the security section, make sure TLS 1.2 is checked and make sure the boxes for SSL 2.0 and SSL 3.0 are unchecked.
If you’re using Safari, these settings cannot be edited, but TLS 1.2 is enabled by default.
4. Make sure your server supports SNI.
Server Name Indication (SNI) allows a server to host multiple TLS certificates on the same IP address. If SNI isn’t enabled and multiple TLS certificates are hosted on your server, you will get a handshake failure because the server isn’t being told which certificate to connect to.
To see whether a site needs an SNI, use a free online SSL Server Test (Qualys SSL Labs provides a free and convenient option). You’ll just need to enter your domain name.
If the tool says “This site works only in browsers with SNI Support,” you know that the browser requires SNI and that is likely the cause of your error.
5. Your error may be due to a cipher suite mismatch.
Cipher suites are algorithms that secure SSL/TLS network connections.
Sometimes, a server uses cipher suites that aren’t supported by Cloudflare, which will cause a handshake error. You can use the same Server Test Tool from above to check on cipher suite mismatch. Just go to the Cipher Suites section and check to see which ciphers/protocols are supported by your server. Any cipher suites that are labeled as “weak” may indicate that your browser has a low capability for that protocol. You can check if this is the case via a SSL/TLS Capabilities of Your Browser tool. Running both the website and the browser through these respective tools should allow you to triangulate whether a cipher suites mismatch exists and if so, which protocol specifically is causing the problem.
Following these troubleshooting steps in order will be the most efficient way to pinpoint the source of your handshake error. As you can see, a wide range of problems can trigger a handshake error both on the client/browser side and the server side. Figuring out the source of this issue may be crucial to resolve a drop in traffic to your site.
The good news is, if the application you're using has integrated Entri, you can avoid SSL Handshake Errors and other common configuration issues because Entri automatically sets up the correct DNS settings for you. Reach out to the application you're using and tell them about Entri if you're being disrupted by the DNS set up process!