Intermittent 525 SSL Handshake Error

Hi CloudFlare Community,

We’ve just implemented CloudFlare for the past 2 weeks.
We didn’t check out SSL_ERROR log on our server that we have got bunch of errors on the requests made to our web server.

Below is the snapshot of our server log
[ssl:error] [pid 12448] SSL Library Error: error:14080152:SSL routines:ssl3_accept:unsafe legacy renegotiation disabled

Question:

  • Does this error cause the intermittent 525 SSL Handshake Failed page?

We noticed that our server is not compatible with TLS 1.3 therefore we disabled TLS 1.3 on Cloudflare dashboard - Edge.
We have ensured that SSL used on our web server is exactly the same with the one that we placed on CloudFlare.

We have narrowed down SSLCipherSuite would be the issue that might cause this intermittent 525 SSL handshake failed page that we found from CloudFlare documentation and community.

Below is our current web server configuration - RHEL 7.8

> SSLProtocol             TLSv1.1 TLSv1.2
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
SSLHonorCipherOrder     on

Could you please advise what’s the correct configuration to avoid [ssl:error] [pid 12448] SSL Library Error: error:14080152:SSL routines:ssl3_accept:unsafe legacy renegotiation disabled ?

Thanks you
Jeffry

Have you got multiple domains at your host/origin?

Maybe you are using old TLS, or support older ciphers.

What do you get for a result if you change to SSLCipherSuite DEFAULT?

In case this tool can help you - choose Apache and Intermediate:

https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6

Try with:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

Regarding 525 error, kindly check for some usefull information and steps to try out from this article:

Have you got an SSL certificate generated and installed?, and are you using it at your virtualhost file at your host/origin?

Hi @fritexvz

Thanks for your message.
Below is the details that we’re currently using.

SSLProtocol TLSv1.1 TLSv1.2
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
SSLHonorCipherOrder on

We’ve tried to disable the current setting and changed into SSLCipherSuite DEFAULT
There was still the same issue, intermittent 525 SSL Handshake Failed page.

At the moment, we still receive the SSL error logging in our server log.
[ssl:error] [pid 12448] SSL Library Error: error:14080152:SSL routines:ssl3_accept:unsafe legacy renegotiation disabled
May I know what does it mean?

Thanks again for your message.

This topic was automatically closed after 30 days. New replies are no longer allowed.