Troubleshoot SSL handshake error

SSL Handshake Error

You might be confused about the message “SSL Handshake Error” or “SSL Handshake Failed”.  You would face this when the server cannot establish the connection via the protocol and the client receives the HTTP status 503 with the text “Service Unavailable”. This occurs mainly when the read access is not permitted to the OS that is when the authentication is not allowed.

There could be various reasons that could cause SSL Handshake Error and let’s see one by one. Some can be fixed and a few need to be fixed from the server-side.

Steps to Fix SSL Handshake Error

Step 1: Set your system Date and Time

Mostly if you see are the major causes for SSL handshake issues is due to incorrect dates and time of your system. If this is the issue then update your system clock. The system time is a significant factor to test whether the certificate is valid or not.

Your computer time or date might be incorrect due to some manual error or malfunction in your setting. Therefore, it is necessary to check and make sure the system date and time are correct and if not update it accordingly.

If the clock setting shows correct information in your system then, it’s safe from the “SSL Handshake Failed” issue and there can be other reasons too, which we can see below.

Step 2: Check SSL Certificate is valid or not

To make sure the validation information remains accurate, the SSL certificates will be placed with an expiration date. The Browser will find, if the SSL Certificate is dismissed or expired.

You can also check the status of your SSL certificate by using the SSL certificate checker tool.

To check the status, enter your domain name in the Hostname field and then submit. It will analyze your SSL configuration and will display the status of your certificate if it is still valid or revoked. You can update the SSL Certificate, to resolve the handshake error and keep your site secure.

Step 3: Configure browser to support the latest TLS/SSL versions

More often, the SSL handshake failure occurs due to a browser-related error such as a protocol mismatch. For example, if the server supports only TLS 1.2, but the browser is configured only for TLS 1.0 or TLS 1.1, there’s a lack of mutually supported protocol. So this will lead to a TLS handshake failure.

Steps to check the issue:

  1. Open Chrome browser.
  2. Go to Setting > Advanced.
  3. Click Open your computer’s proxy settings under System. A new window will pop-up.
  4. Select Advanced tab.
  5. Under the Security section, check that Use TLS 1.2 is selected. If not, check that option and also uncheck use SSL 2.0 and use SSL 3.0 (recommended).
  6. Do the same for use TLS1.0 and use TLS1.1.
  7. Click Ok to see if the handshake error has been resolved.

Note: In Apple Safari or Mac OS, they dint provide any option to enable or disable SSL protocols. By default, TLS 1.2 will enable automatically. 

Step 4: Server Configuration to Support SNI

If you have an improper Server Name Indication (SNI) configuration, then you will have SSL handshake failure. The SNI will enable the webserver to securely host several TLS certificates for one IP address. So make sure your server is configured properly in a way to support SNI.

If your server isn’t SNI-enabled, then your server will not know which certificate to present thereby, you could face an SSL handshake failure. You can check whether your site requires an SNI using Qualys’ SSL Server Test. You will get a message like “This site works only in browsers with SNI support”.

The 2nd option is a bit technical, but you can gain more information.

Just browse the server names in the ‘ClientHello’ message. It will check the extended hello header for a ‘server_name’ field, to see if the correct certification is present or not. If you are good at using tools like OpenSSL toolkit and Wireshark you can try them. You can use openssl s_client with and without the -servername option:

# without SNI
$ openssl s_client -connect host:port  
# use SNI 
$ openssl s_client -connect host:port -servername host 

When an SNI is supported and properly configured, you will get two different certificates with the same name. If you need any assistance in fixing your SSL certificate you can get support from us.

 Step 5: Cipher Suites Match

Let’s see if your SSL handshake failure is due to Cipher Suites Match. You can use Qualys’ SSL Server Test to check if there is a cipher suite mismatch.

To check, input your domain and click Submit, you’ll see a summary analysis page, under the Cipher Suites section you can see the cipher information.

Using the information find out which ciphers and protocols your server supports. Check for the ‘weak’ status and compare the results against which your browser supports by using the Qualys SSL/TLS Capabilities of your browser tool. Hope these steps help to fix your SSL Handshake issue. If you need any assistance we can help you fix it – Get Support.

Check: How to setup SSL for Elastic Load Balancer in AWS

To get updates follow us on Facebook, Twitter, LinkedIn

Subscribe to get free blog content to your Inbox