SSL Issue ( Openssl )


Using the SSL certificate provided by Cloudflare, I get the following:

Is it possible to use the Cloudflare SSL only and not a SSL on the origin server and to be able to fix that error?

*** Disclaimer: I’ve replaced my actual domain with ( ) ***

openssl s_client -connect
4534021804:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure:/AppleInternal/BuildRoot/Library/Caches/ alert number 40
4534021804:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 0 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : 0000
Start Time: 1611937146
Timeout : 7200 (sec)
Verify return code: 0 (ok)

You shouldn’t get an SSL error when connecting to a Proxied (:orange:) hostname.

You definitely need SSL on the origin server if your goal is to secure your site’s traffic.

Thanks for the reply,

I have enabled ssl certificate on the server via lets encrypt and re-enabled the proxy cloud and turned on Full (strict) but still get the error.

But if I turn off the proxy cloud (:orange:) then it comes up correct

Check the SSL/TLS page → Edge Certificates. What’s the Status for the Universal SSL cert?


Can you post the domain name?

It’s interesting that command fails from MacOS, but passes in Ubuntu. I suspect it’s something about Apple’s openssl not tolerating something, but I don’t know what. Browsers don’t seem to mind the certificate.

Maybe another @MVP knows why, or someone from #JanJam may pick this up in an hour.

1 Like

What is your minimum TLS version set as in the Cloudflare Dashboard (At SSL/TLS → Edge Certificates)?
If it’s set to 1.3, can you change it to 1.2 and try again?


Good catch. Qualys SSL test says it’s 1.3 only.

1 Like

Always Use HTTPS = ON

Opportunistic Encryption = ON

TLS 1.3 = ON

Certificate Transparency Monitoring ( Beta ) = OFF

And yes, I’m using a MacOS computer and using Terminal

@arunesh90 1.2 works

1 Like

TLS 1.3 compatibility is not yet the best on most modern systems, so it’s probably best to keep the minimum version on 1.2 for now


@arunesh90 Okey, Thank-you.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.