TLS Handshake Failed

Answer these questions to help the Community help you with Security questions.

Describe the issue you are having:
We’re doing domain fronting between Cloudflare with another agency which used Fastly to power their backend. While the domain fronting and the backend has worked before between Cloudflare and Fastly since the past 1 year we pointed the DNS/CNAME, however recently, for some reason Cloudflare is not recognizing the SSL/TLS certificate issued by Fastly - hence causing a TLS handshake failure.

What error message or number are you receiving?
On Fastly.com, the handshake failed is referred to as Error 421. Requested host does not match any Subject Alternative Names (SANs) on TLS certificate [60512585fc323e30052b030c209c5c0374cbad1d123bce95389984ae45811453] in use with this connection. Visit docs[dot]fastly[dot]com/en/guides/common-400-errors#error-421-misdirected-request for more information.

What steps have you taken to resolve the issue?
We’re looking into 3 alternatives but haven’t implemented that:

  1. We’re thinking of generating a Cloudflare Origin CA root certificate to be installed on Fastly end - this is in line with one of your guidelines displayed here: community[dot]cloudflare[dot]com/t/community-tip-fixing-error-525-ssl-handshake-failed/44256
  2. Right now we’re not using Advanced Certificate Manager which doesn’t support SAN configuration - hence would upgrading to ACM certificate solves the handshake issue? - because according to our partner’s agency team, Cloudflare’s ACM was used on their end and doesn’t seem to cause an issue to perform a handshake with Fastly.
  3. Referring to the guideline provided by Fastly here, we might want to look into creating a host header override on Fastly end but according to our partner agency development team, it will be a risk for them since they are also serving 100+ white-label customers who performs the same domain fronting using other hosting services than Cloudflare towards Fastly’s backend server but never faced an issue.

Was the site working with SSL prior to adding it to Cloudflare?
It was working for both before and after adding it to Cloudflare (almost a year)

What are the steps to reproduce the error:

  1. Just visit the link here: theatreuk[dot]velloy[dot]com
  2. Then, you will see a 421 error message displayed.

Have you tried from another browser and/or incognito mode?
Yes

Please attach a screenshot of the error:

Hi there,

The message you’re seeing is coming from the origin, not Cloudflare and the 421 is also from origin.
If you access the origin directly, you’ll see the same error.

On Cloudflare side the certificate is valid despite the message served by the origin:
Screenshot 2024-03-06 at 13.30.27

Screenshot 2024-03-06 at 13.31.25

Take care.

Hi @nic6, your topic has a solution here.

Let us know what you think of the solution by logging in and give it a :+1: or :-1:.


Solutions help the person that asked the question and anyone else that sees the answer later. Login to tell us what you think of the solution with a :+1: or :-1:.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.