Error 525

Error 525: SSL handshake failed

This error indicates that the SSL handshake between Cloudflare and the origin web server failed.

Common causes

Error 525 occurs when these two conditions are true:

• The SSL handshake ↗ fails between Cloudflare and the origin web server.
• Full or Full (Strict) SSL is set in the Overview tab of your Cloudflare SSL/TLS app.

Note

If your hosting provider frequently changes your origin web server's IP address, refer to Cloudflare's documentation on dynamic DNS updates.

Resolution

Contact your hosting provider to exclude the following common causes at your origin web server:

• No valid SSL certificate is installed.
• Port 443 (or another custom secure port) is not open.
• No SNI support.
• The cipher suites used by Cloudflare do not match the cipher suites supported by the origin web server.

Note

If 525 errors occur intermittently, review the origin web server error logs to determine the cause. Configure Apache to log mod_ssl errors ↗. Also, nginx includes SSL errors in its standard error log, but may possibly require an increased log level ↗.

• Verify that a certificate is installed on your origin server. For details on running tests, refer to Troubleshoot requests with curl. If no certificate is installed, you can generate and install a free Cloudflare origin CA certificate to encrypt traffic between Cloudflare and your origin web server.

• Review the cipher suites used by your server to ensure they are compatible with Cloudflare.

• Check your server's error logs from the timestamps when 525 errors occur to identify any issues causing the connection to be reset during the SSL handshake.