sfw/fix
Error 525 high

Cloudflare Error 525: SSL Handshake Failed

With Full (Strict) SSL on, Cloudflare reached your origin but the TLS handshake between them failed.

What you see

Error 525
SSL handshake failed
What happened? Cloudflare is unable to establish an SSL connection to the origin server.

What’s actually happening

The site 525s the moment your SSL/TLS mode is set to Full or Full (Strict), and works again if you drop to Flexible — which tells you the break is on the Cloudflare-to-origin leg, not the browser leg. It can also start out of nowhere when an origin cert is rotated badly or a port-443 firewall rule changes. The TCP connect succeeds; the TLS negotiation is what dies.

Common causes

  • No TLS listener on the origin at all on port 443 — the web server only serves plain HTTP, so there's nothing to handshake with.
  • Port 443 (or your custom HTTPS port) is firewalled off from Cloudflare's IP ranges.
  • Cipher suite or TLS version mismatch — the origin only offers ciphers/protocols Cloudflare won't negotiate, or it's pinned to something ancient.
  • The origin doesn't handle SNI and serves the wrong vhost (or none) for the requested hostname.
  • A device in front of the origin (load balancer, reverse proxy) terminates or interferes with TLS and resets the handshake.

How to fix it

  1. Confirm the origin actually does TLS on 443From outside: `openssl s_client -connect ORIGIN_IP:443 -servername example.com`. If it can't establish a session or there's no listener, that's your answer — the origin needs a working HTTPS vhost before Full/Full (Strict) can work. `curl -vk --connect-to example.com:443:ORIGIN_IP:443 https://example.com` is a quick second check.
  2. Open port 443 to CloudflareMake sure the origin firewall/security group allows inbound 443 from every Cloudflare IP range. A handshake that never completes is often just the SYN+ACK getting through on 80 while 443 is blocked.
  3. Check TLS version and cipher overlapRun the origin through SSL Labs or `nmap --script ssl-enum-ciphers -p 443 ORIGIN_IP`. Cloudflare needs at least one mutually supported protocol/cipher. If the origin is locked to TLS 1.0/1.1-only or an exotic cipher set, widen it to include modern TLS 1.2/1.3 suites.
  4. Install a Cloudflare Origin CA certificateGenerate a free Origin CA cert in SSL/TLS → Origin Server, install it on the origin, and bind it to port 443. It's purpose-built for the Cloudflare-to-origin hop and sidesteps cipher/SNI quirks from random self-managed certs. Reload the web server after installing.
  5. Verify SNI handlingIf the origin hosts multiple sites, make sure it returns the right certificate for the SNI Cloudflare sends. Test with `-servername` in the openssl command above; a wrong-vhost response means SNI is misconfigured on the origin.

Stop it recurring

Keep the origin on TLS 1.2/1.3 with a mainstream cipher list and use a Cloudflare Origin CA cert so the edge-to-origin handshake doesn't depend on a fragile self-managed setup.

Related errors

Cloudflare Error 526: Invalid SSL Certificate

high

Cloudflare connected over HTTPS but rejected your origin's certificate while running Full (Strict) SSL.

Cloudflare Error 522: Connection Timed Out

critical

Cloudflare opened a TCP connection to your origin but never got a reply, so the request times out.

404 Not Found

high

A 404 means the page the visitor requested doesn’t exist at that URL. Here’s why it happens and how to fix it for good.

500 Internal Server Error

critical

A 500 is the server’s way of saying "something broke on my end." Generic by design — here’s how to find the real cause.