What Is SSL Handshake & How Do I Fix SSL Handshake Failed

Learn More About HubSpot CMS with Free Web Hosting

I'm always taken aback when I go to shake someone's hand and our hands don't connect as intended. This can also happen in the digital world - and it means that the SSL handshake failed.

Here's what I mean. When devices on a network - say, a browser and a web server - share encryption algorithms, keys, and other details about their connection before finally agreeing to exchange data, it's called an SSL handshake. During this handshake, the browser and server might ask to see each other's SSL certificates to verify them.

This handshake is essential for establishing a secure connection before transferring data, so it's important to understand what an SSL handshake is and what to do if it fails.

Before we dive into the SSL handshake process, remember that your website requires an SSL certificate to perform the process. If you need help deciding where to get one, I recommend you consider these 10 providers that offer free options.

Table of Contents

• SSL Handshake
• How to Fix SSL Handshake Failed
• What is "SSL handshake failed"?

Note: SSL and TLS are both cryptographic protocols that enable clients and servers operating over a network to communicate with each other securely. TLS has replaced SSL, but SSL is still a more commonly used term so we'll continue to use it in this post.

SSL Handshake Steps

The exact steps in an SSL handshake vary depending on the version of SSL the client and server decide to use, but the general process is outlined below.

1. The client says hello. This "client hello" message lists cryptographic information, including the SSL version to use to communicate with each other. It also lists which encryption algorithms it supports, which are known as Cipher Suites.
2. The server responds hello. This "server hello" message contains important information, like which CipherSuite it chose, and its digital certificate. It might also request the client's certificate.
3. The client verifies the server's certificate. It also sends several byte strings, including one for allowing both the client and the server to compute a secret key for encrypting subsequent messages, including the "finished" messages. If the server sends a client certificate request, it will also send a byte string encrypted with its own private key and digital certificate.
4. The server verifies the client's certificate. This step only takes place if client authentication is required.
5. The client says "I'm finished." This "finished" message indicates that the client has completed its part of the handshake.
6. The server says "I'm finished, too." This "finished" message indicates that the sever has completed its part of the handshake.

For the remainder of the session, the server and client can now exchange messages that are encrypted with the same secret key, which was shared in step three. This is known as symmetric encryption. If you want to learn more about symmetric encryption, and how it differs from asymmetric encryption, I like this post.

The steps above will occur if the process goes smoothly. But what if it doesn't? Below I'll walk you through how to resolve an "SSL handshake failed" error message.

What is "SSL handshake failed"?

"SSL Handshake Failed" is an error message that occurs when the client or server wasn't able to establish a secure connection.

This might occur if:

• The client is using the wrong date or time.
• The client is a browser and its specific configuration is causing the error.
• The connection is being intercepted by a third party on the client-side.
• The client and server do not support the same SSL version.
• The client and server are using different Cipher Suites.
• The client or server's certificate is invalid.

The SSL Handshake Failed error message may appear differently, depending on the client application I'm using or server I'm trying to communicate with. For example, in GitHub, it will look something like this:

Image Source

If I use Cloudflare, on the other hand, an SSL Handshake Failed will appear as a 525 error that looks something like this:

Image Source

Now that I have explained some of the causes of the SSL Handshake Failed error, let me explain some solutions.

1. Correct the time and date on the client device.

Let's start with the easiest fix. If the system time and date is incorrect on my computer or device, then it can cause the SSL Handshake Failed error. That's because time is essential when it comes to SSL certificates: they have finite lifespans and become invalid past their expiration date.

If you check your system time and date and it's correct, then move on to the next step.

Pro tip: If you travel often, you can set your computer to automatically update timezones.

2. Try another browser.

It's possible that the browser I'm using is causing the SSL Handshake Failed error. It could be my settings, browser plugins, or another issue. To see if this is the problem, I always switch to another browser.

Let's say I was trying to connect to a website using Google Chrome, and it works just fine in Safari. In that case, I'll have to narrow down the problem. I usually go back and reset Google Chrome (or whatever browser I was using) to its default settings and disable all of my plugins.

Then, I re-configure my settings and enable my plugins one by one, testing my ability to connect to the website each time. By taking these steps, I should be able to isolate the specific setting or plugin that caused the SSL handshake error.

If you try another browser and you still see the SSL Handshake Failed error, then move on to the next step.

Pro tip: If you want to check if the browser is the issue before disabling your plugins, try opening the desired site using incognito mode first.

3. Add website to allowlist.

It's also possible that my firewall is causing the SSL handshake error by intercepting my request for inspection. To rule it out as the cause, I temporarily deactivate my firewall - but that can leave me vulnerable to an attack.

As an alternative, I can try adding the website to my allowlist. Here's the process I completed for Google Chrome:

• On my admin console homepage, I went to Devices > Chrome.
• Click Settings > Users & browsers.
• I left the top organizational unit selected (it's selected by default). This will apply the setting to all users and enrolled browsers.
• I scrolled to URL Blocking and enter the website I am trying to access under Blocked URL exceptions.
• Click Save.

If you try visiting that site again and you still see the SSL Handshake Failed error, then move on to the next step.

4. Update browser to use the latest SSL protocol.

I may be getting the SSL Handshake Failed error because my device (the client) and server do not support the same SSL version, which is resulting in a protocol mismatch.

For example, let's say my browser only supports TLS 1.1 and my server only supports TLS 1.2 or 1.3 (the latest version). If these two try to establish a secure connection, then it will likely result in an SSL Handshake Failed error.

In that case, I'll need to update my browser. Most updated versions of major browsers like Google Chrome have TLS 1.2 automatically enabled. However, even if it is updated, I always check to make sure it's configured to support the latest TLS version as this is important.

Here's the easiest way I know how to check:

• Visit SSL Labs.
• Navigate to Projects.

• Click SSL Client Test.

• Under Protocol Support, it tells me whether my browser supports the latest versions of TLS.

If you verify that your browser and server are using the same protocol, then move on to the next step.

5. Check browser and server support for Cipher Suites.

Another reason I could be getting the SSL Handshake Failed error is that the client and server are using different Cipher Suites.

Just like a protocol mismatch, a client and server who do not have mutual support for the same CipherSuite will not be able to establish a secure connection.

I can compare which Cipher Suites my browser supports to the server of the website I'm trying to visit supports by once again visiting SSL Labs.

• First, I navigate to Projects.
• Then I click SSL Client Test.
• Finally, I scroll down to Protocol Features, where it will list which Cipher Suites my browser supports, in order of preference.

• Now, I open SSL Labs in another tab, and navigate to Projects.
• I click SSL Server Test.
• I type in the domain name I am trying to visit that is resulting in the SSL Handshake Failed error.

• Scroll down to Configuration, where it will list which Cipher Suites the server supports, in order of preference.

If you verify that your browser and server are using the same CipherSuite, then move on to the next step.

6. Verify your SSL certificate is accurate and valid.

Any number of issues on an SSL certificate can prevent an SSL handshake from being completed. This may result in an SSL Handshake Failed error or another error message that ultimately means the handshake failed.

For example, you might see something like this:

Image Source

If the SSL certificate has an incorrect hostname, for example, or it's past its expiration date, then the handshake will likely fail. So, it's important to ensure your SSL certificate is installed correctly and renewed when needed.

Pro tip: You can use an online tool like the above-mentioned SSL Server Test or SSL Shopper to test that your SSL configuration is installed, valid, and trusted in just a few minutes.

When a Client and Server Don't Want to Shake Hands

Troubleshooting my SSL handshake error taught me a valuable lesson: A step-by-step breakdown of the issue - and patience! - is essential for resolving the problem.

Since an SSL handshake is an essential step in keeping data transferred over the internet secure, it's important that users understand what the SSL Handshake Failed error means and how to fix it.

By following the steps above, I was able to resolve the issue and establish a secure connection between my device and the server I was trying to connect to.

Editor's note: This post was originally published in October 2021 and has been updated for comprehensiveness.

Topics: Web Hosting

Don't forget to share this post!