A 525 error states that the SSL handshake between Cloudflare and the origin server that hosts the domain failed. This means that Cloudflare is set to use Full SSL in the Cloudflare settings for the domain, so Cloudflare attempts to make a connection using SSL (for requests beginning in https://) to server that hosts the domain.
Likely reasons for this failure include:
- The origin server does not support or is not configured properly for SNI.
- The cipher suites that Cloudflare accepts and the cipher suites that the origin server uses do not match.
- The origin server is not configured to use SSL and Full SSL is enabled in the Cloudflare settings.
However, other conditions can lead handshakes to fail. The above conditions will cause SSL/TLS handshakes to fail consistently, so if you're only seeing errors intermittently, you'll want to review server error logs to determine the cause. Apache must be configured to log mod_ssl errors. nginx includes these errors in its standard error log, but it may be necessary to increase the log level.