Are you looking forward to resolving Error 525 SSL handshake failed?

The error indicates that the SSL handshake between Cloudflare and the origin web server failed.

This problem happens mainly because of an invalid SSL certificate, closed port 445, etc.

At Bobcares, we often get requests from our customers to fix the Error 525 SSL handshake failed as part of our Server Management Services.

Today, let’s have a look for the reason of this error. We’ll also see how our Support Engineers fix this error.

Why Error 525 SSL handshake failed?

The error 525 essentially means the SSL handshake between Cloudflare and the origin web server failed. This inturn causes the error to pop up while accessing the website.

Again, this error occurs on the domain using Cloudflare Full or Full (Strict) SSL mode.

The most common causes of this error are:

• No valid SSL certificate installed on the website
• The website is not listening on port 443.
• The SNI is not supported by the website(sometimes not configured to SNI)
• The cipher suites that Cloudflare uses do not match what the origin accepts

While accessing the website the error appears as:

The major reasons and fixes of this error

At Bobcares, where we have more than a decade of expertise in managing servers, we see many customers face problems with error 525 SSL handshake failed.

Now, let’s see the major reasons for this error and how our Support Engineers fix it.

Invalid certificate

One of the major reasons for this error is due to the website not having a valid SSL certificate.

Therefore, when a customer reports the error, we check for the SSL certificate expiry date. If expired, we install the valid SSL certificate for the domain. Also, we double-check if the website uses the correct certificate.

Port 443

Recently, one of the customers approached us with the same error. On further analyzing, we could trace that the issue was due to closed SSL secure port 443.

We have checked that whether the port 443 was listening or not,  by applying the command follows.

netstat -nltp | grep : 443

We could see that the port was not listening and it was closed. So that we opened the SSL port and that fixed the problem.

SNI

Also, another major cause of the error is the improper configuration of SNI.

Server Name Indication (SNI) allows the server to safely host multiple TLS Certificates for multiple sites, all under a single IP address.

Here, we check and make sure whether the SNI is properly configured on the website. If the SNI is not supported or configured will cause this error to pop up.

If the server is not having SNI, then the website should need a dedicated IP address to avoid this error.

Cipher suites

Similarly, Cipher Suites also can be a cause for the 525 error.

A cipher suite is a set of algorithms that help secure a network connection that uses Transport Layer Security (TLS) or its now-deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

In certain cases, the cipher suites that the origin server uses do not match with Cloudflare. The cipher suites 115 that Cloudflare accepts 29 and the cipher suites that the origin server supports do not match. Thus, to fix the error, we always ensure that the version of Open SSL supports the cipher suites that Cloudflare support.

[Need assistance to fix Cloudflare error? We’ll help you.]

Conclusion

In short, Error 525 SSL handshake failed to occur mainly due to invalid  SSL certificate, closed 443 port, SNI problem, and so on. Today, we have discussed this error in detail and saw how our Support Engineers fix this error for our customers.