How to Fix the SSL/TLS Handshake Failed Error?

aboutssl.org/fix-ssl-tls-handshake-failed-error

SSL/TLS Handshake process begins when your browser sends a request to make a
secure connection with a web server like Apache. Though sometimes an error occurs, and
one of the commonly faced SSL/TLS errors is an “SSL Handshake Failed error,” or
also known as “SSL Handshake Failed.”
If you’re not having the right answer to what this SSL error means, then no worries, we’ve
got your back. Read further and know what’s this SSL Handshake Failed Error, why it
occurs, and how to fix the SSL/TLS Handshake Failed Error.

What Does SSL/TLS Handshake Failed Mean and What Causes It?
The SSL Handshake Failed error occurs when there’s a protocol mismatch. In other
words, whenever the client and the server do not have mutual support for the same
SSL/TLS version, it shows this SSL/TLS Handshake failed error message.

Once the user sends the secure connection request to the web browser, the browser is
expected to send a public key to your computer, which is automatically verified against a
list of CAs. And, the computer generates a key and encrypts it with the public key after
receiving the certificate.

This SSL/TLS Handshake Failed Error occurs whenever the OS hasn’t granted the
read access to the OS, ultimately preventing the complete authentication of the webserver,
which indicates that the browser’s connection with the web server is not secure.

Some Reasons That Causes SSL/TLS Handshake Failed Error

Who Can
CAUSE DESCRIPTION Fix It?

Incorrect The date and time of the client device are not correct. Client
System Time

Browser Error Configuration of a browser is causing the error Client

Main-in-the- The connection is manipulated or intercepted by a Client

middle third-party.

Protocol The server doesn’t support the protocol used by the Server
Mismatch client.

Cipher Suite The server doesn’t support the cipher suite used by Server
Mismatch the client.

SNI-Enabled SNI-enabled servers can’t communicate with the Server

Server client.

1/6
 Who Can
CAUSE DESCRIPTION Fix It?

Incorrect The name on the certificate doesn’t match with Server

Certificate the hostname in the URL.
Incomplete or invalid certificate chain.
The SSL/TLS Certificate is expired or revoked.

Now, let’s see each of the reasons for the SSL/TLS Handshake Fail error with the solution
in detail.

Here’s the Client-Side Errors and its Solution

Whenever an SSL/TLS Handshake fails, it’s mostly due to certain things going on with
the server, website, and the configuration of its installed SSL/TLS.

Presently the culprit is TLS configuration as support for SSL 3.0 is deprecated. However,
there’s a distinct possibility that a client-side error can be the reason behind the SSL/TLS
Handshake Failed error. And, some of the common ones are like incorrect system time or
browser updates.

Let’s see some of the common causes of SSL Handshake fail error in detail.

1. Incorrect System Time

Not always happen, but sometimes the system clock differs from the actual time. Maybe
you did it intentionally, accidental change of settings, or any other reason. It’s a fact that
SSL/TLS certificates come with a specific validity period, so the date and time of the
system is equally important.

So, the solution is to change the system time and date to correct one, if the system
clock is not showing the right time and date. But again, there’s no need to change your
system time if it’s correct, as it’s likely that the cause of the error is not the System time.

2. Browser Error

It’s not any browser error. But, SSL/TLS Handshake Failed Error is due to some
mistakes made by your browser. Sometimes it happens, that your browser might be
causing this error due to certain misconfiguration or a plugin can make sure things to
work differently, which results in problems while connecting with the legitimate websites.
While analyzing what’s exact needs to be fixed is not that easy on your current browser.
So, you should try using a different browser.
For instance, if you’re using Google Chrome, then try using Mozilla Firefox or any other
such as Apple Safari if OS is Mac or else Microsoft Edge for Windows.

2/6
However, if you still face the SSL/TLS Handshake Failed error, even after changing
the browser, then the issue is not regarding browser but, most probably, the plugin. To
verify whether the error can be solved or not, it’s recommended to disable all your
installed plugins and reset your browser settings to default.

3. Man-in-the-Middle

Generally, the MITM (Man-in-the-Middle) attack comes across as a criminal activity

that attempts to cause harm or steal user’s information. However, that’s not always the
case. Many programs and devices intercept for inspection or any other reason like load
balancing, which is sent along to the application server, and this is known as MITM too.
Nevertheless, sometimes issues occur with such devices, which causes the SSL
Handshake Failure error. And, the reason could be a network firewall preventing the
connection or else configuration on an edge device on the server-side network, which
means there’s a possibility that this error could be from the client or server-side
depending upon the scenario.

Lastly, if the issue is from the client-side, then you can take a chance of exposing yourself
by tweaking the settings on your VPN or antivirus. Though, never drop your antivirus or
firewall to connect with a website. And, if the server is causing the issue, then mostly
configuration is creating an issue on an edge device.

Here’s the Server-Side Errors and Its Solution

Most of the time, SSL/TLS Handshake failure error is due to server-side issues.
Some of them are easy to solve, and some aren’t, and some are not even worth solving at
all.
Let’s look at some of the common server-side issues.

1. Protocol Mismatch

It’s one of the errors which can happen due to both the server-side or the client-side, and
generally, it’s not worth solving depending upon the circumstance. And when it’s about
ciphers and protocols, it’s advised to move forward rather than backward.
For instance:

TLS 1.2 came more than a decade ago, and small segments of websites still fail to support
it. Earlier back in March 2018, the final version of TLS 1.3 was published as RFC 8446 by
the IETF. And, sites were also advised for adding support for TLS 1.3 at their earliest.

So, if the SSL/TLS Handshake Failure error is due to protocol mismatch, it generally
means the client and server do not have mutual support for the same TLS version.

For example:

The client supports TLS 1.0 and TLS 1.1, whereas the server supports TLS 1.2.

3/6
As shown in this example, the TLS protocol is not supported mutually. So, it’s likely that
the server won’t support backward versions. Nevertheless, the server shouldn’t fix this as
well. In this above example, the client must be recommended to upgrade their browser, or
else it must be latest with the latest TLS version supported. Presently all we can suggest is
that TLS 1.2 or TLS 1.3 must be used, or else support must be added for it.

2. Cipher Suite Mismatch

A cipher suite is quite similar to the Protocol Mismatch. SSL/TLS isn’t just a single
algorithm that handles everything on its own but a combination of numerous algorithms
that serves different functions and work with each other to make up SSL/TLS.
Nevertheless, Cipher Suites used by TLS 1.3 has been refined. Earlier, Cipher Suite has
algorithms that handled:

Symmetric Session Key Encryption

Asymmetric Public Key Encryption
Signature Hashing
Key Generation

Different Organizations and Government Agencies have different types of encryption

standards that suggest different kinds of cipher suites so clients can have different options
while being able to find a mutually acceptable cipher. No doubt, it’s less likely that you get
a site that only supports a single cipher suite.

Many times, it happens within a network, if you’re doing SSL bridging, where an edge
device receives and decrypts HTTPS traffic and then re-encrypts it to send it to the
application server. If the application server and edge device fail to share a mutually
supported cipher suite, it will cause errors. Similar to Protocol versions, it’s also advisable
for cipher suites, to never go backward but only moves forward.

Lastly, a protocol version or cipher suite is deprecated because there’s a vulnerability in

that version. So, going back to the earlier version will only make your connection less
secure.

3. Incorrect SSL/TLS Certificate

Many different reasons can make a browser view at an SSL/TLS Certificate as incorrect
while preventing it from the successful handshake. Let’s dive into it in the next sub-
sections and try to materialize the different issues that result because of a failed
handshake due to the technical level.
Host Name Mismatch: Hostname fails to match with the CN in the certificate.
Incorrect Certificate Chain: Intermediate missing in the certificate chain.
Expired/Revoked Certificate: The server presents an untrusted, revoked, or
expired SSL/TLS certificate.
Self-Signed Replacements: Certificate replacements or Internal Networks
confuses the path.

4/6
4. The hostname is Not Correct

Previously there was a problem with non-WWW and WWW versions of the websites,
but it has been reduced radically by the Certificate Authority community allowing one of
them to be listed as a SAN free of cost. The simple solution for this issue is to re-issue the
certificate or sometimes use a Wildcard certificate.

5. Certificate Chain is Not Correct

The SSL/TLS and PKI trust model generally relies on root programs, which are the
collections of trusted CA root certificates that are stored onto your computer system.
Some of the Root program examples:

Mozilla root program used by Firefox Desktop and Mobile

Google root program used by Android OS
Apple root program used by iOS and macOS
Microsoft root program used by Windows

Nevertheless, CA root programs are invaluable, that it’s not issued directly, but Certificate
Authorities make use of intermediate roots for signing SSL/TLS leaf (end-user)
certificates. And, here’s the chain comes into play. The Root CA certificate is used for
digitally signing the intermediate roots, and those intermediates are further used for
signing other intermediate or end-user leaf SSL/TLS certificates.

So, whenever the browser gets an SSL certificate, the browser does one of the things for
sure. It will check whether the signatures follow their authenticity. Looks digital name on
the SSL/TLS certificate with the Intermediate root that signed it. Then it looks at the
digital signature of the intermediate certificate and checks it back to the certificate, which
signed the intermediate. This process is continuous like this till it reaches one of the Root
CA certificates in its trust store.

Hence, whenever this process remains incomplete due to any reason, means browser
failing to locate even one of their intermediate certificates will result in the SSL
handshake failed error. The solution is to install the missing intermediate certificate.
To find the missing intermediate certificate solution is to go to the CAs website from
whom you purchased your SSL/TLS certificate.

6. Revoked/Expired Certificates
Currently, the maximum validity of an SSL/TLS certificate is of 2 years and three
months extra (Total 27 months because CAs allow carrying up three months over from
previously installed certificate.) In case, if your SSL/TLS certificate gets expired or due to
any reason it gets revoked, then it may result in SSL Handshake Failure error. If this
is the reason, then get a valid certificate issued and installed.

7. Self-Signed Replacements

5/6
If you’ve installed a self-signed SSL/TLS certificate on your website and its live on
the public internet, then it will generate an error. To resolve a mistake, get your SSL/TLS
certificate issued from the trusted CAs like Sectigo, Comodo, or DigiCert.

8. SNI-Enabled Servers

Generally, it’s an internal issue that happens between devices, but sometimes there are
chances of getting an SSL/TLS handshake failed error if a client communicating with a
Server Named Indication (SNI) enabled server is not SNI enabled.
To solve this issue, you must identify what’s the hostname and the port number of the
server, while verifying whether it’s SNI-enabled and it’s communicating everything it has
to.

Summary
Many times, website owners don’t make any necessary changes until they face a problem,
which can’t be overlooked. Though some of the client-side fixes for this SSL/TLS
handshake failed, the error is there as its mentioned in this article, mostly it’s going to be
server-side.
So, if you’re a regular internet user, your options are limited. The best thing you can do as
a website visitor is to inform the owner of the website about the SSL/TLS handshake
failed to issue and wait for them to fix it. If they don’t take any action onto it, then it’s best
to avoid using that website.

Related Articles:

6/6