How to fix one of the most common SSL/TLS errors – SSL Handshake Failed Error
An SSL handshake is a process that begins when your browser sends a secure connection request to a web server such as Apache. However, in some cases, you might get the message “SSL Handshake Error” or “SSL Handshake Failed.”
If you’re confused about what that message means, we have the answers. Read on to find out what’s the SSL Handshake Failed Error, why it occurs, and how to fix SSL handshake error.
Cause of SSL Handshake Error
“SSL Handshake Error” is a message you receive when the SSL handshake process fails.
After you send the secure connection request to the web browser, the browser is supposed to send a public key to your computer that’s automatically checked against a list of certificate authorities. Once the certificate has been received, the computer generates a key and encrypts it using the public key.
The SSL Handshake Error occurs if the read access has not been granted to the OS, thus preventing the web server from completing authentication. It indicates that the browser’s connection to the web server isn’t secure.
This can be caused for a number of different reasons:
- The SSL/TLS protocol being requested is not supported by the server
- The cipher suite being requested is not supported by the server
- The hostname in the URL doesn’t match what’s on the certificate
- The certificate chain is invalid or incomplete
- The certificate has expired and or is no longer valid
- The client or server cannot communicate with the SNI servers
Unfortunately for users, many of these issues are server-side and cannot be fixed by you. But there are a few things you can try.
How to Fix SSL Handshake Error
You may be able to fix SSL Handshake Error by following these steps:
- The .KYR file and the .STH file should have the same prefix. For example, both the files should be called FILE1.KYR and FILE1.STH.
- Your operating system must have read access to the .STH file. Without read access, the web server cannot complete the authentication process.
Troubleshooting SSL Handshake Failed Apache
“SSL Handshake Failed” errors occur on Apache if there’s a directive in the configuration file that necessitates mutual authentication.
In order to fix the SSL Handshake Failed Apache Error, you have to follow these steps:
Open the conf file.
- Replace “SSLVerifyClient” or “SSLVerifyClient optional_no_ca” to “SSLVerifyClient none” and then restart Apache.
- If there’s an “SSLVerifyDepth 1” line in the conf file, you can remove it by adding the “#” sign before it, for example, “#SSLVerifyDepth 1”.
Checking your SSL/TLS protocol support
While every browser is different, there is a way to go into the settings and make sure that you have support for the latest TLS versions turned on. This is typically done by default, though if you’ve tweaked your settings before that may impact how new features roll out.
Go into your settings and click advanced. Then scroll down to the security settings and open up your SSL/Proxy option.
You want to make sure that you’ve got support for SSL 2.0 and SSL 3.0 turned off, you may also wanted to disable TLS 1.0 and TLS 1.1, as both of those are being phased out, too. You definitely want TLS 1.2 and TLS 1.3 to be supported, as those are the most modern and safest variants of TLS.
Re-Issue your SSL/TLS certificate
For most site owners facing this problem a simple re-issuance and re-installation may fix the problem. Specifically with errors that stem from an incorrect certificate. You can also use this as an opportunity to tweak the TLS versions you’re supporting so that they support the more modern protocols. Unlike browsers, this change typically isn’t made for you server-side, so if you haven’t updated since TLS 1.0 you should probably get to it.