World's Only Assuring 99.99% Uptime Servers and Applications. Details
+1-203-479-0755 Click For Support

Resolving CloudFlare Error 525: SSL Handshake Failed

resolving-cloudflare-error-525
11
Aug

# Tags

  • Codeyo Genie Codeyo Genie / 1 year
  • December 4, 2024
  • 4 min read

Resolving CloudFlare Error 525: SSL Handshake Failed

Resolving CloudFlare Error 525 indicates troubleshooting and fixing SSL handshake failures between Cloudflare and the origin server to ensure secure and uninterrupted communication.

Verifying SSL Certificate Installation

The first thing you need to do to fix error 525 is to make sure that your origin server has a valid SSL certificate loaded. You can use the following command to see if the certificate was put in correctly:

$ curl -svo /dev/null https://www.example.com --connect-to ::203.0.113.34 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"

Change “203.0.113.34” to the IP address of your root server and “www.example.com” to your domain and host name. If the command gives you the information you need without any problems, it’s likely that your SSL certificate was installed properly.

Checking Hosting Provider and Port Configuration

Next, you need to make sure that your hosting service is listening on the right port. For SSL connections, this is usually port 443. Talk to your server company to make sure they have the right settings in place.

Configuring Origin Server for SNI 1.9k

Make sure your root server is set up right for SNI (Server Name Indication) 1.9k to avoid error 525. This ensures compatibility between Cloudflare and your server. Review your server’s configuration and update it accordingly.

Matching Cipher Suites with Cloudflare

Cipher suites are groups of cryptographic methods that make it safe for servers to talk to each other. It’s important to make sure that the cipher suites that Cloudflare supports are the same ones that your base server supports. Check your server’s cipher suites to make sure they are compatible with Cloudflare.

Addressing Intermittent Errors

If you get error 525 sometimes, it means that the TCP link between Cloudflare and your origin server is being reset during the SSL handshake. This is what causes the error. In this case, you should call your hosting provider or system administrator to see if there are any problems with the server.

Logging SSL Errors

For successful troubleshooting, you need to make sure that SSL errors are logged by your server. If you are using Apache, set it up to log mod_ssl failures, and if you are using Nginx, these errors should be added to the standard error log. If you need to get more information for fixing, you can change the log level.

Pausing Cloudflare or Testing Server IP

To see if your server’s SSL certificate is working properly, you can either temporarily stop Cloudflare or change your local hosts file so that it points straight to your server’s IP address. This step lets you check to see if the SSL certificate is working the way it should.

Disabling TLS 1.3 and Testing TLS Versions

If you get the error “error:1408F10B:SSL routines:ssl3_get_record:wrong version number” when cURLing to the origin on port 443, you should stop TLS 1.3 on the Edge Certificates tab of the SSL/TLS app in the Cloudflare dashboard.

You can use the following cURL code to find out which TLS version is being used at the moment:

$ curl -svo /dev/null https://www.example.com --connect-to ::MYORIGINIP 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"

Lastly, you can add one of the following options to your cURL script to test a specific TLS version:–tlsv1.0

  • --tlsv1.1
  • --tlsv1.2
  • --tlsv1.3

By making the TLS version clear, you can figure out how compatible and useful different TLS versions are.

Conclusion

Codeyo Genie is here to help, so don’t forget that. If you need more help or would rather have an expert show you the way. Contact us today to improve how your website works and make sure your users can always get to it.

# Tags

Verified by MonsterInsights