Error Codes Wiki

HTTP 525 SSL Handshake Failed — Cloudflare Origin SSL Negotiation Error

Error5xx server error

About HTTP 525 SSL Handshake Failed

Fix Cloudflare HTTP 525 error when the SSL/TLS handshake between Cloudflare and the origin server fails during secure connection setup. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.

Here are the key things to understand: HTTP 525 indicates the SSL/TLS handshake between Cloudflare's edge and your origin server failed. Cloudflare requires a valid SSL configuration on the origin when using Full or Full (Strict) SSL mode. The handshake failure can be due to protocol mismatch, cipher suite incompatibility, or certificate issues. This error only occurs when Cloudflare's SSL mode is set to Full or Full (Strict) — not Flexible. The origin server must support at least TLS 1.2 for compatibility with Cloudflare. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.

The most common reasons this occurs include: Origin server SSL certificate expired or not properly installed. SSL mode set to Full (Strict) but origin has a self-signed certificate. Origin server only supports outdated TLS versions (TLS 1.0/1.1) that Cloudflare no longer negotiates. Cipher suite mismatch between Cloudflare and the origin server configuration. Identifying the root cause is the first step toward finding the right solution.

To resolve this, follow these recommended steps: Verify origin SSL certificate is valid and not expired: openssl s_client -connect origin:443. If using Full (Strict), ensure the origin has a valid CA-signed certificate or a Cloudflare Origin CA certificate. Update origin server to support TLS 1.2 or higher in Nginx/Apache SSL configuration. Temporarily set Cloudflare SSL mode to Flexible to confirm the issue is SSL-related, then fix and switch back. Install a free Cloudflare Origin CA certificate on the origin server for guaranteed compatibility. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.

This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.

Quick Answer

What is a Cloudflare Origin CA certificate?

It is a free certificate issued by Cloudflare specifically for encrypting traffic between Cloudflare and your origin server. It is trusted by Cloudflare but not by browsers directly, so it only works when proxied through Cloudflare.

Overview

Fix Cloudflare HTTP 525 error when the SSL/TLS handshake between Cloudflare and the origin server fails during secure connection setup.

Key Details

  • HTTP 525 indicates the SSL/TLS handshake between Cloudflare's edge and your origin server failed
  • Cloudflare requires a valid SSL configuration on the origin when using Full or Full (Strict) SSL mode
  • The handshake failure can be due to protocol mismatch, cipher suite incompatibility, or certificate issues
  • This error only occurs when Cloudflare's SSL mode is set to Full or Full (Strict) — not Flexible
  • The origin server must support at least TLS 1.2 for compatibility with Cloudflare

Common Causes

  • Origin server SSL certificate expired or not properly installed
  • SSL mode set to Full (Strict) but origin has a self-signed certificate
  • Origin server only supports outdated TLS versions (TLS 1.0/1.1) that Cloudflare no longer negotiates
  • Cipher suite mismatch between Cloudflare and the origin server configuration

Steps

  1. 1Verify origin SSL certificate is valid and not expired: openssl s_client -connect origin:443
  2. 2If using Full (Strict), ensure the origin has a valid CA-signed certificate or a Cloudflare Origin CA certificate
  3. 3Update origin server to support TLS 1.2 or higher in Nginx/Apache SSL configuration
  4. 4Temporarily set Cloudflare SSL mode to Flexible to confirm the issue is SSL-related, then fix and switch back
  5. 5Install a free Cloudflare Origin CA certificate on the origin server for guaranteed compatibility

Tags

cloudflare525sslhandshaketls

Related Items

http-524-a-timeout-occurred-cloudflare

More in 5xx Server Error

http-500-internal-server-errorHTTP 500 Internal Server Error — What It Means & How to Fix It
Critical
http-501-not-implementedHTTP 501 Not Implemented — What It Means & How to Fix It
Critical
http-502-bad-gatewayHTTP 502 Bad Gateway — What It Means & How to Fix It
Critical
http-503-service-unavailableHTTP 503 Service Unavailable — What It Means & How to Fix It
Critical
http-504-gateway-timeoutHTTP 504 Gateway Timeout — What It Means & How to Fix It
Critical
http-505-http-version-not-supportedHTTP 505 HTTP Version Not Supported — What It Means & How to Fix It
Critical

Frequently Asked Questions

It is a free certificate issued by Cloudflare specifically for encrypting traffic between Cloudflare and your origin server. It is trusted by Cloudflare but not by browsers directly, so it only works when proxied through Cloudflare.