SSL handshake error, code 525, I need your help

My website is inaccessible through cloudflare CDN, is inaccessible, showing SSL handshake failure 525, SSL/TLS encryption mode is full.
My real backend domain name can be accessed through https, no problem. But now I can’t use cloudflare CDN. I found through debugging that when accessed in cloudflare CDN mode, it modifies the domain name of the HTTP_HOST message, causing the domain name and certificate on my nginx to not match. If I add on nginx, my ssl certificate will not match. I hope that when accessing cloudflare CDN, HTTP_HOST will not be modified. I have never found this problem before! It’s really helpless!

1 Like

Hi there,

Thank you for reaching out to us. I am sorry to hear that you are experiencing some difficulties here.

A 525 error indicates that the SSL handshake between Cloudflare and the origin web server failed. This only occurs when the domain is using Cloudflare Full or Full (Strict) SSL mode:
Error 525: SSL handshake failed

We would recommend you contact your hosting provider to exclude the following common causes at your origin web server:

  • No valid SSL certificate installed
  • Port 443 (or another custom secure port) is not open
  • No SNI support
  • The cipher suites accepted by Cloudflare does not match the cipher suites supported by the origin web server

If you are only intermittently seeing 525’s, this suggests the TCP connection between Cloudflare and your origin is being reset during the SSL handshake causing the error.

In order to ensure that all requests from Cloudflare are accepted by your server over HTTPS, please make sure to:

  • Check if you have a certificate installed on your origin server. In case you don’t have any certificate, you can create and install our free Cloudflare origin CA certificate. Using Origin CA certificates allows you to encrypt traffic between Cloudflare and your origin web server.
  • Review the cipher suites your server is using to ensure they match what is supported by Cloudflare.
  • Check your server’s error logs from the timestamps you see 525s to ensure there is errors that could be causing the connection to be reset during the SSL handshake

If you are still not able to identify the cause, you can change the SSL mode to Flexible under the SSL/TLS tab in your Cloudflare Dashboard, so we do not connect to your server over port 443.

I hope this helps.

After many attempts, I finally found that I needed to bind the CDN domain name on the server nginx. Although it was solved, the process seemed wrong!
Because CDN is a reverse proxy, the origin server does not need to be forced to bind the CDN domain to nginx. Because the CF proxy server can be accessed directly using the CNAME domain name, CF should not force the HTTP HOST to be modified. It only needs to add an HTTP_CF_DOMAIN in the HTTP header to mark that this is accessed through the CF CDN mode.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.