What is SSL HandShake

How to fix the "SSL Handshake failed" error (5 methods)

If you install a Secure Sockets Layer (SSL) certificate on your WordPress website, it can use HTTPS to ensure secure connections. Unfortunately, there are a variety of things that can go wrong when confirming a valid SSL certificate and establishing a connection between your website's server and a visitor's browser.

If you've encountered an "SSL Handshake Failed" error message and are confused about what it means, you are not alone. It's a common mistake that doesn't say much on its own. While this can be a frustrating experience, the good news is that there are simple steps you can take to solve the problem.

In this post, we are going to explain what the SSL Handshake Failed error is and what causes it. Then we will offer you different methods that you can use to fix it.

Let's begin!

An introduction to the SSL handshake

Before we go into more detail about what causes a TLS or SSL handshake error, it is helpful to understand what the TLS / SSL handshake is. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are protocols that are used to authenticate data transfers between servers and external systems such as browsers.

SSL certificates are required to secure your website over HTTPS. We won't go into too much detail about the difference between TLS and SSL as it is a minor difference. The terms are often used interchangeably, so for convenience we'll use “SSL” to refer to both.

An SSL handshake is the first step in the process of establishing an HTTPS connection. In order to authenticate and establish the connection, the user's browser and the website server must go through a series of checks (the handshake) that determine the parameters of the HTTPS connection.

To explain: The client (usually the browser) sends a request for a secure connection to the server. After the request is sent, the browser sends a public key to your computer and verifies this key against a list of certificates. The computer then generates a key and encrypts it with the public key sent by the browser.

To cut a long story short: no secure connection is established without the SSL handshake. This can pose a significant security risk. There are also many moving parts involved in this process.

That means there are many different ways that something could go wrong and cause a failed handshake.

Faced with the 'SSL Handshake Failed' error? 🤝 Check out how to solve it using these 5 methods ⤵️Click to Tweet

Understand what is causing the SSL handshake error

An SSL handshake error or Error 525 means that the server and the browser could not establish a secure connection. This can happen for a variety of reasons.

In general, an error 525 means that the SSL handshake between a domain using Cloudflare and the original web server failed:

The message Error 525 SSL handshake failed in Google Chrome

However, it is also important to understand that SSL errors can occur on the client or server side. Common causes of SSL errors are on the client side

  • The wrong date or time on the client device.
  • An error in the browser configuration.
  • A connection that is intercepted by a third party.

Some server-side causes include:

  • A mismatch in the cipher suite.
  • A protocol used by the client that is not supported by the server.
  • A certificate that is incomplete, invalid, or has expired.

If the SSL handshake fails, the problem can usually be traced back to an error in the website or the server and their SSL configurations.

How To Fix SSL Handshake Failed Error (5 Methods)

There are several possible causes behind the "SSL Handshake Failed" error. So there is no easy answer when it comes to how you should fix it.

Fortunately, there are a handful of methods you can use to begin researching potential problems and fixing them one at a time. Let's look at five strategies you can use to try to resolve the SSL Handshake Failed error.

1. Update your system date and time

Let's start with one of the less likely causes, but it's incredibly easy to correct if it's the problem: your computer's time.

If your system is using the wrong date and time, it can break the SSL handshake. If the system clock deviates from the actual time, e.g. if it is set too far in the future, this can interfere with the SSL certificate checking.

Your computer's time could have been set incorrectly through human error or simply by a mistake in your settings. Whatever the reason, it's a good idea to check your system time and make sure your system time is correct, and update it if it isn't.

If your watch shows the correct information, you can of course assume that this is not the cause of the "SSL Handshake failed" problem.

2. Check if your SSL certificate is valid

Expiration dates are set on SSL certificates to ensure that their validation information remains correct. In general, these certificates are valid for between six months and two years.

If an SSL certificate has been revoked or has expired, the browser recognizes this and cannot complete the SSL handshake. If it's been more than a year or so since you installed an SSL Certificate on your website, it may be time to reissue it.

To view the status of your SSL certificate, you can use a tool for checking SSL certificates, such as the one offered by Qualys:

The SSL Server Test Tool on the Qualys website

This tool is both reliable and free to use. You only need to enter your domain name in the "Hostname" field and then click on "Send“To click. Once the checker has analyzed your website's SSL configuration, it will present you with some results:

Would you like to know how we increased our traffic by over 1000%?

Be one of the 20,000+ people who receive weekly newsletters with insider tips about WordPress!

Subscribe now

The results page of the Qualys SSL Checker Tool

On this page you can find out if your certificate is still valid and see if it has been revoked for any reason.

In any case, updating your SSL certificate should fix the handshake error (and is essential for the security of your website and your WooCommerce shop).

3. Configure your browser for the latest SSL / TLS protocol support

Sometimes the best way to determine the source of a problem is through the process of eliminating it. As we mentioned earlier, the failure of the SSL handshake can often be due to a misconfiguration of the browser.

The quickest way to determine if a particular browser is the problem is to try switching to a different browser. This can at least help isolate the problem. You can also try disabling all plugins and resetting your browser to the default settings.

Another potential browser-related problem is protocol mismatch. For example, if the server only supports TLS 1.2 but the browser is only configured for TLS 1.0 or TLS 1.1, there is no mutually supported protocol. This will inevitably lead to an SSL handshake error.

How you can check if this problem occurs depends on the browser you are using. As an example, let's look at how the process works in Chrome. First you open your browser and go to Settings> Advanced. This expands a number of menu options.

Under the heading system you click on Open your computer's proxy settings:

The system settings page in Google Chrome

A new window is opening up. Next, select the tab Extended. Under the section security, check that the box next to Use TLS 1.2 is selected. If not, check this option:

The advanced settings of the Internet properties in Windows

It is also recommended that you clear the boxes for SSL 2.0 and SSL 3.0.

The same also applies to TLS 1.0 and TLS 1.1, as these are being phased out. When you're done, click the button OK and check if the handshake error has been fixed.

Note that if you are using Apple Safari or Mac OS, there is no option to enable or disable the SSL protocols. TLS 1.2 is automatically enabled by default. If you're using Linux, you can read Red Hat's guide to TLS hardening.

4. Check that your server is properly configured to support SNI

It is also possible that the failure of the SSL handshake was caused by an incorrect SNI (Server Name Indication) configuration. The SNI is what enables a web server to securely host multiple TLS certificates for one IP address.

Every website on a server has its own certificate. However, if the server is not SNI-capable, this can lead to an SSL handshake error, as the server may not know which certificate to show.

There are a couple of ways to check and see if a website needs SNI. One possibility is the Qualys SSL server test, which we discussed in the previous section. Enter your website's domain name, then click the Submit Button.

On the results page, look for a message that reads: "This website only works in browsers that support SNI":

The summarized results page of the Qualys SSL Checker Tool

Another approach to determining if a server is using SNI is to look up the server names in the 'ClientHello' message. This is a more technical process, but it can provide a lot of information.

This includes searching the extended hello header for a ’server_name’ field to see if the correct certifications are being displayed.

If you are familiar with tools like the OpenSSL toolkit and Wireshark, you may prefer this method. You can use with or without the option:

If you get two different certificates with the same name, it means that the SNI is supported and configured correctly.

However, if the output in the returned certificates is different, or if the call cannot establish an SSL connection without SNI, it means that SNI is required but is not configured correctly. To solve this problem, you may need to switch to a dedicated IP address.

5. Make sure that the cipher suites fit together

If you are still unable to identify the cause of the SSL handshake failure, it could be due to a mismatch in the cipher suite. In case you are not familiar with the term 'cipher suites', the 'cipher suites' refer to a number of algorithms, including those used for key exchange, bulk encryption and message authentication code used to secure SSL and TLS - Network connections can be used.

If the cipher suites a server is using do not support or match what is used by Cloudflare, this can lead to an "SSL Handshake Failed" error.

When it comes to finding out whether there is a cipher suite error, the Qualys SSL Server Test is once again a useful tool.

If you enter your domain and click on Submit If you click, you will see a summary analysis page. You can find the encryption information under the section Cipher suites Find:

The cipher suites section in a Qualys SSL report

You can use this page to find out which ciphers and protocols the server supports. You should be on the lookout for anyone showing the 'weak' status. The specific algorithms for the cipher suites are also described here.

To fix this problem, you can compare the results to what your browser supports by using the Qualys SSL / TLS capabilities of your browser tool. For more detailed information and instructions on the Cipher Suites, we also recommend taking a look at the ComodoSSLStore guide.

Confused by the 'SSL Handshake failed' error message? This guide explains what it is and, most importantly, 5 ways to fix it 🙌Click to Tweet

Summary

One of the most confusing, yet common problems associated with SSL is the "SSL Handshake Failed" error. Dealing with this error can be stressful as it has many potential causes, including both client and server-side issues.

However, there are some reliable solutions that you can use to identify and fix the problem. Here are five ways you can fix the SSL "Handshake Failed" error:

  1. Update your system date and time.
  2. Check that your SSL certificate is valid (and reissue it if necessary).
  3. Configure your browser to support the latest TLS / SSL versions.
  4. Check that your server is properly configured to support SNI.
  5. Make sure the cipher suites match.

If you enjoyed this tutorial, then you will love our support. All of Kinsta's hosting plans include 24/7 support from our seasoned WordPress developers and engineers. Chat with the same team that supports our Fortune 500 customers. Check out our packages here