Learn how to fix the ‘ssl_error_rx_record_too_long’ Cloudflare Error Code. Our Cloudflare Support team is here to help you with your questions and concerns.

How to Resolve the ‘ssl_error_rx_record_too_long’ Cloudflare Error Code

One of our clients recently ran into the “ssl_error_rx_record_too_long” error code. Upon close examination, our experts identified the issue as a failed secure connection between a client (a web browser) and a server.

This error usually indicates that an SSL/TLS handshake was attempted on a port not properly configured for secure communication or where the SSL setup is incorrect. Today, we’ll dive into the causes and solutions for this issue, particularly when using Cloudflare.

An Overview:

• What Does the Error Indicate?
• Common Causes of the Error
• How to Fix the ‘ssl_error_rx_record_too_long’ Error
• Best Practices to Prevent This Error

What Does the Error Indicate?

• The client sends an HTTPS request expecting a secure SSL/TLS handshake.
• The server responds with data that doesn’t conform to SSL/TLS protocols, possibly plain HTTP data.
• In the case of Cloudflare, the error often points to a mismatch between Cloudflare’s SSL mode and the SSL configuration on the origin server.

Common Causes of the Error

1. Incorrect SSL/TLS Port Configuration:

   SSL/TLS connections should use port 443 by default. However, this error may occur if the server is misconfigured, serving plain HTTP on port 443 or using a non-standard port for HTTPS.
2. Mismatch Between Cloudflare SSL Mode and Server Configuration:

   Cloudflare’s SSL modes (Off, Flexible, Full, and Full (Strict)) need to align with the SSL setup of the origin server:

   • Flexible: Cloudflare connects to the origin server over HTTP.
   • Full: Cloudflare connects to the origin server over HTTPS without validating the certificate.
   • Full (Strict): Cloudflare connects over HTTPS, validating the certificate’s authenticity.
3. Self-Signed Certificates on the Origin Server

   Using a self-signed certificate with Cloudflare’s Full (Strict) mode causes the handshake to fail, as this mode requires a trusted CA-signed certificate.
4. Outdated or Misconfigured SSL/TLS Settings:

   The origin server may use outdated protocols or cipher suites, which Cloudflare’s modern TLS requirements do not support.
5. HTTP on Port 443 at the Origin Server

   Serving plain HTTP on port 443 instead of HTTPS will cause SSL handshakes to fail.

How to Fix the ‘ssl_error_rx_record_too_long’ Error

1. First, we have to check the Cloudflare SSL/TLS mode. So, go to the Cloudflare dashboard and confirm the SSL mode matches our origin server’s configuration:
   • Flexible: Use if the origin server does not support HTTPS.
   • Full: Use if the origin server has a self-signed certificate.
   • Full (Strict): Use if the origin server has a valid, trusted SSL certificate.
2. Next, confirm the SSL Certificate on the origin server:
   • For Full (Strict) mode, ensure the origin server has a valid SSL certificate issued by a trusted Certificate Authority (CA) like Let’s Encrypt or DigiCert.
   • A self-signed certificate can suffice for Full mode but must be correctly configured.
3. Then, check that the server is configured to serve HTTPS traffic on port 443.

   For example, in Apache:

   <VirtualHost *:443>
SSLEngine on
SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/private.key
</VirtualHost>


   For example, in Nginx:

   server {
listen 443 ssl;
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;
}

4. Next, check if the server supports modern SSL/TLS protocols (TLS 1.2 or higher) and uses secure cipher suites to comply with Cloudflare’s requirements.
5. If we’re configuring the SSL certificate on the origin server, consider temporarily setting Cloudflare’s SSL mode to Flexible to bypass SSL verification. However, this does not encrypt traffic between Cloudflare and the origin server.
6. After making changes, clear the browser’s cache and flush your DNS cache to load the updated configuration:

   # Flush DNS cache on Windows
ipconfig /flushdns
# Clear DNS cache on macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder


Best Practices to Prevent This Error

• Regularly update the server’s SSL/TLS settings to meet modern standards.
• Obtain certificates from reputable Certificate Authorities.
• Periodically review and align Cloudflare’s SSL mode with your server’s configuration.
• Use server logs to identify and resolve SSL handshake issues quickly.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

The “ssl_error_rx_record_too_long” error often results from misaligned SSL configurations between Cloudflare and the origin server. We can resolve this error by addressing issues like incorrect port setups, mismatched SSL modes, or outdated protocols. Proactive SSL management ensures secure and uninterrupted communication for our web applications.

In brief, our Support Experts demonstrated how to fix the ‘ssl_error_rx_record_too_long’ Cloudflare Error Code.