Troubleshooting SSL Handshake Failures
Learn why SSL/TLS handshakes fail, how to diagnose protocol, cipher, SNI, certificate chain and CDN/origin issues, and how to fix them.
Introduction
An SSL/TLS handshake failure means the client and server could not establish a secure HTTPS connection. The browser, API client, CDN or server tried to negotiate TLS, but the negotiation failed before normal page content could load.
Handshake failures can be caused by old TLS versions, unsupported cipher suites, missing SNI, invalid certificate chains, client certificate requirements, CDN/origin SSL mismatch, firewall interference or server misconfiguration. The fix depends on where the handshake fails and which side cannot agree.
Quick answer
SSL handshake failures happen when the client and server cannot agree on a secure TLS connection. Check supported TLS versions, cipher suites, SNI, certificate chain, hostname coverage, CDN/origin SSL settings and server logs. Test the public hostname and the origin separately if a CDN is used.
SSL handshake failure
The SSL/TLS handshake is the negotiation that happens before secure HTTPS traffic begins.
- The client connects to the server.
- Supported TLS versions are negotiated.
- Cipher suites are selected.
- The server presents a certificate.
- The client verifies trust and hostname.
- Encryption keys are established.
- Secure communication begins.
If this process fails, the page or API request may stop before any normal HTTP response is returned.
Error messages
Browser errors
ERR_SSL_PROTOCOL_ERROR, ERR_SSL_VERSION_OR_CIPHER_MISMATCH, PR_END_OF_FILE_ERROR, SSL_ERROR_HANDSHAKE_FAILURE_ALERT, NET::ERR_CERT_INVALID
Command-line / API errors
handshake failure, TLS alert handshake failure, certificate verify failed, unable to get local issuer certificate, wrong version number, no shared cipher
CDN errors
SSL handshake failed, origin SSL error, Cloudflare 525, Cloudflare 526, TLS negotiation failed
Different tools use different wording, but the root issue is usually TLS negotiation, certificate validation or CDN/origin configuration.
Where it fails
Before fixing the issue, identify where the handshake fails.
- Browser to website
- Browser to CDN edge
- CDN to origin server
- API client to server
- Load balancer to backend
- Reverse proxy to application
- Mail or web service using TLS internally
If a CDN is active, visitors may connect successfully to the CDN while the CDN fails to connect securely to the origin server.
TLS version mismatch
A TLS version mismatch happens when the client and server do not support a common protocol version.
- Server only supports old TLS versions
- Client requires TLS 1.2 or TLS 1.3
- Server disables TLS 1.2 accidentally
- Old client cannot support modern TLS
- CDN edge and origin use different TLS requirements
Enable:
TLS 1.2
TLS 1.3
Disable:
SSLv2
SSLv3
TLS 1.0
TLS 1.1
If you disable old protocols, test business-critical legacy clients before applying changes widely.
Cipher mismatch
Cipher suites define which cryptographic algorithms the client and server can use. If there is no shared cipher suite, the handshake can fail.
- Server allows only outdated ciphers
- Client rejects weak ciphers
- Server configuration is too restrictive
- Old Java, OpenSSL or embedded client cannot negotiate
- CDN or load balancer has a different cipher profile
For most websites, using a modern recommended TLS profile from the hosting provider, CDN or server stack is safer than manually inventing cipher settings.
SNI problems
SNI, or Server Name Indication, lets the client tell the server which hostname it wants during the TLS handshake. This is important when multiple HTTPS sites share the same IP address.
- Old clients do not send SNI
- Server virtual host is misconfigured
- Wrong default certificate is served
- CDN or proxy sends the wrong SNI to origin
- Origin certificate does not match the SNI hostname
If the wrong certificate appears only for some clients, SNI may be involved.
Why this matters
Handshake failures matter because the secure connection fails before the website can load normally. Users may see browser errors, APIs may fail, CDNs may return origin SSL errors and monitoring tools may report downtime even when the web server itself is running.
A handshake failure is often more severe than a normal HTTP error because the client may never receive a useful HTTP response.
How to diagnose
Use SSL Checker, Website Status Checker and command-line tests to identify whether the issue is certificate, protocol, cipher, SNI, CDN or origin related.
When checking handshake failures, review
These seven checks help narrow down the cause.
Public hostname
Test the exact domain visitors use.
Certificate status
Check expiry, hostname match, issuer and chain.
TLS versions
Confirm supported TLS versions.
Cipher suites
Check whether modern clients have shared ciphers.
SNI behavior
Test with the correct server name.
CDN vs origin
Test both public CDN hostname and origin if applicable.
Server logs
Review Nginx, Apache, LiteSpeed, CDN, proxy or application logs.
openssl s_client -connect example.com:443 -servername example.com
openssl s_client -connect example.com:443 -servername example.com -showcerts
openssl s_client -connect example.com:443 -servername example.com -tls1_2
openssl s_client -connect example.com:443 -servername example.com -tls1_3
curl -Iv https://example.com
openssl s_client -connect 192.0.2.10:443 -servername example.com
These examples are illustrative. Replace example.com and IP addresses with your real hostname and server values.
Check SSL handshake
Use SSL Checker to inspect certificate, TLS version support, chain and HTTPS configuration.
Common problems
No shared TLS version
HighClient and server cannot agree on a TLS protocol version.
Next step: Enable TLS 1.2 and TLS 1.3 where possible, and remove obsolete protocol dependencies.
No shared cipher
HighClient and server do not support a common cipher suite.
Next step: Use a modern server or CDN TLS profile and avoid overly restrictive cipher settings.
Wrong certificate served
HighThe server presents a certificate for another hostname.
Next step: Check SNI, virtual host configuration, CDN origin settings and certificate coverage.
Incomplete certificate chain
MediumThe client cannot build a trusted certificate chain.
Next step: Install the full certificate chain or CA bundle.
Origin certificate rejected by CDN
HighThe CDN connects to the origin but rejects the origin certificate.
Next step: Install a valid origin certificate or adjust CDN SSL mode correctly.
Client too old
MediumAn old browser, Java client, OpenSSL library or embedded device cannot negotiate modern TLS.
Next step: Update the client or maintain a separate compatibility strategy if required.
Mutual TLS required unexpectedly
MediumThe server expects a client certificate, but the client does not provide one.
Next step: Review mTLS configuration and disable client certificate requirement if unintended.
Firewall or proxy interference
MediumA firewall, WAF, proxy or middlebox interrupts TLS negotiation.
Next step: Check security rules, proxy configuration and TLS inspection settings.
Server name / SNI mismatch
HighThe client or CDN sends one hostname, but the origin expects another.
Next step: Align SNI, origin hostname and certificate SAN names.
How to fix failures
-
Step 1: Identify the failing path
Determine whether the failure is browser to site, CDN to origin, API client to server, or proxy to backend.
-
Step 2: Test the public hostname
Use SSL Checker and browser tests for the exact hostname users access.
-
Step 3: Check certificate and chain
Fix expiry, hostname mismatch, trust and incomplete chain issues.
-
Step 4: Check TLS versions
Enable TLS 1.2 and TLS 1.3 where supported. Disable obsolete protocols carefully.
-
Step 5: Check cipher suites
Use a modern recommended TLS profile.
-
Step 6: Check SNI
Confirm the client, CDN or proxy sends the hostname covered by the certificate.
-
Step 7: Check CDN/origin SSL
Verify edge certificate, origin certificate, SSL mode and origin hostname.
-
Step 8: Review logs
Look for TLS alerts, certificate errors, protocol mismatch or handshake failure messages.
-
Step 9: Re-test from outside
Confirm the fix from an external network, not only from the server itself.
Use this checklist to confirm all handshake-related settings are correct.
- Exact hostname tested
- DNS points to expected endpoint
- Certificate covers hostname
- Certificate chain is complete
- Certificate is not expired
- TLS 1.2 is enabled
- TLS 1.3 is enabled if supported
- Obsolete protocols are not required
- Cipher profile is modern
- SNI is correct
- CDN edge certificate is valid
- Origin certificate is valid
- Firewall, WAF or proxy is not interrupting TLS
- Server logs show no TLS alerts
CDN and origin
When a CDN is used, there are usually two TLS handshakes.
Browser to CDN
- The visitor checks the CDN edge certificate.
CDN to origin
- The CDN checks the origin server certificate.
- Origin certificate is expired
- Origin certificate does not match hostname
- CDN sends wrong SNI
- Origin supports old TLS only
- CDN requires strict certificate validation
- Origin firewall blocks CDN IPs
- Redirect rules conflict with SSL mode
If users see a CDN SSL error, test the CDN edge and origin separately.
API compatibility
Handshake failures are common with API clients and older libraries.
- OpenSSL version
- Java version
- cURL or libcurl version
- Node, Python or PHP TLS support
- Trusted CA bundle
- SNI support
- Proxy settings
- Client certificate requirement
- TLS version policy
A website may work in modern browsers but fail in an old application client.
Frequently asked questions
What is an SSL handshake failure?
It means the client and server could not establish a secure TLS connection.
Is a handshake failure always a certificate problem?
No. It can also be caused by TLS version mismatch, cipher mismatch, SNI issues, CDN/origin problems or client compatibility.
What does no shared cipher mean?
The client and server do not support a common cipher suite for the TLS connection.
Can a CDN cause handshake failures?
Yes. A CDN can fail the handshake with the origin if the origin certificate, SNI, TLS version or SSL mode is wrong.
Why does the site work in a browser but fail in an API client?
The API client may use an old TLS library, outdated CA bundle, missing SNI support or restricted cipher settings.
Does enabling TLS 1.2 fix handshake errors?
It can fix some issues, but you still need to check certificate chain, ciphers, SNI and CDN/origin settings.
How do I confirm the fix worked?
Run SSL Checker and external command-line tests against the exact public hostname and any relevant origin endpoint.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all SSL & HTTPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!