Should I use Flexible SSL mode to fix this?

No. Flexible mode means traffic between Cloudflare and your origin is unencrypted (HTTP). Use Full (Strict) with a proper certificate for end-to-end encryption. Only use Flexible temporarily for diagnosis.

How do I check my origin server TLS version?

Run: openssl s_client -connect yourserver:443 -tls1_2. If it connects, TLS 1.2 is supported. Check your web server config for ssl_protocols (Nginx) or SSLProtocol (Apache) directives.

HTTP 525 SSL Handshake Failed — Cloudflare Origin SSL Negotiation Error

Error5xx server error

Overview

Fix Cloudflare HTTP 525 error when the SSL/TLS handshake between Cloudflare and the origin server fails during secure connection setup.

Key Details

HTTP 525 indicates the SSL/TLS handshake between Cloudflare's edge and your origin server failed
Cloudflare requires a valid SSL configuration on the origin when using Full or Full (Strict) SSL mode
The handshake failure can be due to protocol mismatch, cipher suite incompatibility, or certificate issues
This error only occurs when Cloudflare's SSL mode is set to Full or Full (Strict) — not Flexible
The origin server must support at least TLS 1.2 for compatibility with Cloudflare

Common Causes

Origin server SSL certificate expired or not properly installed
SSL mode set to Full (Strict) but origin has a self-signed certificate
Origin server only supports outdated TLS versions (TLS 1.0/1.1) that Cloudflare no longer negotiates
Cipher suite mismatch between Cloudflare and the origin server configuration

Steps

1Verify origin SSL certificate is valid and not expired: openssl s_client -connect origin:443
2If using Full (Strict), ensure the origin has a valid CA-signed certificate or a Cloudflare Origin CA certificate
3Update origin server to support TLS 1.2 or higher in Nginx/Apache SSL configuration
4Temporarily set Cloudflare SSL mode to Flexible to confirm the issue is SSL-related, then fix and switch back
5Install a free Cloudflare Origin CA certificate on the origin server for guaranteed compatibility

Related Items

http-524-a-timeout-occurred-cloudflare

More in 5xx Server Error

http-500-internal-server-errorHTTP 500 Internal Server Error — What It Means & How to Fix It

Critical

http-501-not-implementedHTTP 501 Not Implemented — What It Means & How to Fix It

Critical

http-502-bad-gatewayHTTP 502 Bad Gateway — What It Means & How to Fix It

Critical

http-503-service-unavailableHTTP 503 Service Unavailable — What It Means & How to Fix It

Critical

http-504-gateway-timeoutHTTP 504 Gateway Timeout — What It Means & How to Fix It

Critical

http-505-http-version-not-supportedHTTP 505 HTTP Version Not Supported — What It Means & How to Fix It

Critical

Frequently Asked Questions

It is a free certificate issued by Cloudflare specifically for encrypting traffic between Cloudflare and your origin server. It is trusted by Cloudflare but not by browsers directly, so it only works when proxied through Cloudflare.

HTTP 525 SSL Handshake Failed — Cloudflare Origin SSL Negotiation Error

Overview

Key Details

Common Causes

Steps

Tags

Related Items

More in 5xx Server Error

Frequently Asked Questions