Error 525: SSL handshake failed

When an SSL handshake fails, Error 525 occurs in Full or Full (Strict) SSL mode.  This is typically caused by a configuration issue in the origin web server.


Overview

Error 525 indicates that the SSL handshake between Cloudflare and the origin web server failed. This only occurs when the domain is using Cloudflare Full or Full (Strict) SSL mode.

If you are a site visitor, report the problem to the site owner. Cloudflare Support cannot assist you as we are only able to work with the verified owner of the domain.

If you are the site owner, review the steps outlined below to try to resolve the issue.


Common causes

The most common causes include:

  • The origin web server does not have a valid SSL certificate installed.
  • The origin web server is not listening on port 443 (or other custom secure port).
  • The origin web server does not support or is not configured properly for SNI.
  • The cipher suites that Cloudflare accepts and the cipher suites that the origin server supports do not match.

However, there could be other intermittent conditions that can cause Error 525.


Troubleshoot intermittent 525 errors

If you're only seeing errors intermittently, review the server error logs to determine the cause: 

  • Apache must be configured to log mod_ssl errors.
  • nginx includes these errors in its standard error log, but it may be necessary to increase the log level.
Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk