TLS Negotiation failed the certificate doesn’t match the host – Top 3 fixes
Is your Gmail showing TLS Negotiation failed the certificate doesn’t match the host error? Let’s fix it.
In April 2020, Gmail started enforcing strict email security measures. This error usually happens due to incorrect SSL on the mail server.
At Bobcares, we frequently get requests to fix email errors as part of our Server Management Services.
Today, we’ll see how our Support Engineers figure out SSL email errors and make it work.
What is TLS Negotiation failed the certificate doesn’t match the host error?
Usually, this error happens when a user sends emails from their Gmail securely. In the Gmail interface, many users route their emails via their mail server.
In simple words, TLS negotiation is the process that verifies the server, initiates the secure connection, etc. The actual data transfer will proceed only after this successful handshake.
However, if for some reason this communication fails, it results in an error.
Recently, Gmail has strengthened its security measures to fight against attacks. Since April 2, 2020, the Gmail has started verifying whether the Common Name of the SSL certificate matches the mail server. On finding a mismatch, it simply rejects the email.
Causes for TLS Negotiation failure and certificate mismatch
Now, let’s see the causes that would trigger TLS Negotiation failure and certificate mismatch.
Incorrect mail server
One of the top causes for secure email sending failure is the wrong mail server name. Many times, users put in their domain name as the mail server. However, this mail server will not have a proper SSL certificate.
In shared servers, the SSL will be issued to the hostname of the server. As a result, mails will bounce back with the error:
TLS Negotiation failed, the certificate doesn't match the host., code: 0
Wrong mail settings
Similarly, the wrong email settings also can trigger TLS negotiation failure. This often relates to the SMTP port.
For sending emails securely, most email providers use port 587. If there are port blocks, email sending fails.
How we fix TLS Negotiation failed the certificate doesn’t match the host error
Recently, one of our customers reported this problem.
For some reason, I cannot send it from my connected Gmail account. I can send and receive find from my webmail just fine and can send emails from an outside source like Yahoo. It shows up in my Gmail just fine, but when I send anything from Gmail it bounced back this error.
The server returned this error when deleting and adding a new email address in Google: “TLS Negotiation failed, the certificate doesn’t match the host., code: 0“.
Moving on, let’s check how our Support Engineers fix the Gmail sending email error.
Correcting mail server name
As the first step, we verified the settings used by the customer in his Gmail. He was using his domain name as the mail server. However, the certificate for Exim mail service was for the web.servernamexxx.com hostname. So we asked him to change the Outgoing Server and Incoming Server.
To verify the SSL certificate of the mail server, it’s worth to check it via a browser using the https:// link. For instance, in cPanel servers, it can be easily retrieved from the cPanel link.
Choosing the right email settings
Next, we check the settings used in the Gmail interface. Here, we set the correct port, mail server, and email address.
To verify the connection on secure port 587 of the mail server, we use the telnet command. A successful connection result shows up as:
user@myhome:~$ telnet xx.yyy.com 587 Trying 14.xx.yy.34... Connected to xx.yyy.com. Escape character is '^]'. 220 xx.yyy.com ESMTP Postfix
However, when port 587 is not listening, the results will be:
telnet: Unable to connect to remote host: Connection refused
The final settings on the Gmail interface appear as:
A third solution to solve SSL email errors will be to send emails via port 25. However, this is not recommended as the mail communication will be unencrypted. We suggest this solution to customers only when the mail server does not support SSL.
[Trouble sending secure emails via Gmail? We can fix it for you.]
In short, the error TLS Negotiation failed the certificate doesn’t match the host happens due to an incorrect mail server or mail settings. Today, we saw the top 3 fixes that our Support Engineers recommend to customers to make secure email work.