SSLV3 alert handshake failure occurs when a client and server cannot establish communication using the TLS/SSL protocol.

As a part of our Server Management Services, we help our Customers to fix SSL-related errors regularly.

Let us today discuss the possible causes and fixes for this error.

What causes SSLV3 alert handshake failure?

A handshake is a process that enables the TLS/SSL client and server to establish a set of secret keys with which they can communicate. During this process, the client and server:

• Agree on the version of the protocol to use.
• Select the cryptographic algorithm to be used.
• Authenticate each other by exchanging and validating digital certificates.

When the client and server cannot establish communication using the TLS/SSL protocol, the client application receives an HTTP status 503 with the message Service Unavailable. The error message often looks like this:

The possible causes for TLS/SSL handshake failures are:

1. Protocol mismatch
2. Cipher Suite mismatch
3. SNI enabled server
4. Hostname mismatch

How to fix SSLV3 alert handshake failure?

The handshake failure error most commonly occurs when the protocol used by the client is not supported by the server.

Some sites disable support for SSL 3.0 because of many exploits/vulnerabilities. It is possible to force a specific SSL version by either -2/–sslv2 or -3/–sslv3.

To fix this error, we need to ensure that the same protocols are used in the client and server. If not, we have to upgrade the client’s protocol to match that of the server.

At times, the server may not support the cipher suite used by the client. In this scenario, we must ensure that the client uses the cipher suite algorithms that the server supports.

If the backend server is Server Name Indication (SNI) enabled, but the client still cannot communicate with the SNI servers, it will trigger the error.

To solve this error, first, we need to identify the hostname and port number of the server being used and check if it is SNI enabled or not. Then make the client compatible with SNI.

Another scenario that triggers the error is when the hostname in the URL used by the client does not match the hostname in the SSL certificate stored at the server end. It could be due to an incomplete, incorrect, expired, or invalid certificate. Let us now look at each of these cases one by one.

Case 1: Hostname Mismatch

This scenario explains when the hostname used in the URL and the certificate in the Keystore of the router do not match. Two ways to fix this error include:

• Obtain a certificate (if you do not have one already) where the subject CN has a wildcard certificate, then upload the new complete certificate chain to the Keystore. For example:
  “subject”: “CN=*.domain.com, OU=Domain Control Validated, O=*.domain.com”,
• Obtain a certificate (if you do not have one already) with an existing subject CN, but use your-org.your-domain as a subject alternative name, then upload the complete certificate chain to the Keystore.

Case 2: Incomplete or Incorrect certificate chain

Issues with an incomplete or incorrect certificate chain can be fixed with the steps below:

• Obtain a certificate (if you do not have one already) that includes a complete and valid certificate chain.
• Run the following openssl command to verify that the certificate chain is correct and complete:

  openssl verify -CAfile root-cert -untrusted intermediate-cert main-cert

• Upload the validated certificate chain to the keystore.

Case 3: Expired or unknown certificate

This error is also triggered when an expired or unknown certificate is sent by the server or client either at the incoming or at the outgoing connection. Steps to fix this error include:

• Upload a new certificate and its complete chain to the keystore on the appropriate host.
• Upload the valid certificate to the trust store on the appropriate host.

[Need any further assistance in fixing SSL errors? – We’re available 24*7]

Conclusion

In short, an SSLV3 handshake failure alert occurs when a client and server cannot establish communication using the TLS/SSL protocol. Today, we saw how our Support Engineers fix this error.