SSL Handshake Failed Error

The "SSL Handshake Failed" error occurs when the client (browser) and server fail to establish a secure connection. The SSL/TLS handshake is a negotiation process where both parties agree on the protocols and encryption algorithms to use. If this negotiation fails, no secure communication is possible.

This error is often more technical than other SSL errors because it involves compatibility between protocol versions and cipher suites. It can occur server-side (incorrect configuration) or client-side (browser too old or too new).

In this guide, we'll explore common causes of SSL handshake failure and give you tools to diagnose and resolve the problem, whether you're a server administrator or end user.

Handshake Failure Symptoms

How this error manifests:

• Chrome: displays ERR_SSL_PROTOCOL_ERROR or ERR_SSL_VERSION_OR_CIPHER_MISMATCH depending on the exact cause.
• Firefox: displays SSL_ERROR_HANDSHAKE_FAILURE_ALERT with few details about the cause.
• Curl/API: returns "SSL routines:ssl3_get_server_certificate:certificate verify failed" or similar.
• Applications: applications may display "Connection reset" or simply fail without a clear message.

Causes of Handshake Failure

Several situations can trigger this error:

• Obsolete SSL/TLS protocol: the server still uses SSL 3.0 or TLS 1.0/1.1 which modern browsers refuse. Current browsers require TLS 1.2 or 1.3.
• Incompatible cipher suites: client and server have no cipher suite in common. The server offers ciphers the client refuses.
• Non-matching certificate: the domain name in the certificate doesn't match the requested one, or SNI isn't supported.
• Incorrect server configuration: malformed certificate files, incorrect private key, or improperly ordered certificate chain.

Failure Diagnosis

Follow these steps to identify the cause:

1. Test with SSL Labs: SSL Labs analyzes complete server configuration and reports supported protocols and ciphers.
2. Check protocols: use openssl s_client to test connection with different TLS versions.
3. Analyze server logs: Apache/Nginx logs often contain details about handshake failure.
4. Test SNI: if multiple sites share the same IP, verify SNI is correctly configured.

SSL Handshake Diagnosis

Use these commands to diagnose the problem:

#!/bin/bash
# SSL handshake diagnosis

DOMAIN="example.com"

echo "=== Test TLS 1.2 ==="
openssl s_client -connect $DOMAIN:443 -tls1_2 -servername $DOMAIN </dev/null 2>&1 | grep -E "(Protocol|Cipher|Verify)"

echo ""
echo "=== Test TLS 1.3 ==="
openssl s_client -connect $DOMAIN:443 -tls1_3 -servername $DOMAIN </dev/null 2>&1 | grep -E "(Protocol|Cipher|Verify)"

echo ""
echo "=== Supported ciphers ==="
nmap --script ssl-enum-ciphers -p 443 $DOMAIN 2>/dev/null | grep -E "(TLSv|accepted)"

These commands test supported TLS protocols and list accepted cipher suites. If both TLS 1.2 and 1.3 fail, there's a major configuration problem.

Configuration Best Practices

Configure your server correctly to avoid failures:

• Use TLS 1.2+ only: disable SSL 3.0, TLS 1.0 and TLS 1.1. These protocols have known vulnerabilities and are no longer accepted.
• Configure modern ciphers: use Mozilla recommendations for modern, intermediate, or compatible SSL configuration.
• Enable SNI: if you host multiple domains on the same server, SNI is essential to serve the correct certificate.
• Test after each change: after any SSL configuration change, test with SSL Labs to validate.

Frequently Asked Questions

Ensure Successful SSL Negotiation

SSL handshake failures are often caused by obsolete or incompatible configurations. Keep your server updated and use modern protocols and ciphers.

MoniTao monitors your HTTPS connections and alerts you immediately if a handshake problem is detected. Configure a monitor for each critical domain.

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing