We have a Cloudflare DNS CNAME record to an AWS Api Gateway with a custom domain that uses SNI. We are getting a 525 SSL Handshake Failed.
We went through the steps on the support article https://support.cloudflare.com/hc/en-us/articles/200278659. We were able to test to make sure the custom domain on the aws side had a valid SNI configuration https://www.ssllabs.com/ssltest/analyze.html. We are able to directly go to the custom domain on the aws no problem and have chrome and mobile browsers acquire the cert correctly.
We have similar CNAME redirect to elb urls (which have certs that do not require SNI) that work perfectly well. We have Full (Strict) SSL turned on, as well as Universal SSL.