NicSRS
US - English

Blog > How to Fix the SSL/TLS Handshake Failed Error?

How to Fix the SSL/TLS Handshake Failed Error?

Tag:

SSL errors

TLS handshake

SSL handshake

SSL Certificate

1629:0

AndreaJanuary 3 2023

The SSL/TLS handshake is the first and most important step towards establishing a secure connection. A handshake failed error is always frustrating because it prevents us from visiting a website. For users, it is very time-consuming; for website owners, it could affect business and reduce revenue. But usually, the browser simply tells you that it's a handshake failed error and nothing more. It can be confusing as many people don't know what this error actually means and how to fix it.
Therefore, in this article, we will first explain what an SSL/TLS handshake is. Most of us won't pay attention to this concept until we get a handshake failed error. It will be helpful to understand its process and why it may fail.

The SSL/TLS Handshake

 

Technically, it's called a TLS handshake since SSL protocol is old and less secure. However, the term "SSL" has remained and is still widely used, so we'll refer to the process as the "SSL/TLS handshake" in this article.

The SSL/TLS handshake, an essential process in https connections, involves two parties. One is the browser or the user, and the other is the website server. How can these two trust each other and exchange sensitive or private information? This process will play its role.
Imagine two people doing business. Both parties do a lot of identity checks to make sure they are not dealing with a fraud, and then they acknowledge each other, agree on something and decide to cooperate. Done! And they shake hands. The term "handshake" is self-evident.

How the Handshake Process Works?

Depending on the different TLS versions used, the specific handshake steps can vary, but overall the following steps are included:

✦The server sends its SSL certificate (issued and signed by a trusted CA) to the browser to start the handshake process.
✦The browser then checks the legitimacy of the certificate.
✦The server and the browser find a mutually supported cipher suite to use since they could have very different features and capabilities.
✦Then the key exchange begins, which will be used to encrypt and decrypt information.

 

It seems like the server and the browser do a lot of things to complete the process, but actually it only takes some milliseconds. Users, i.e. you, can hardly notice it. It's the first thing that happens in all secure connections. Previously, the handshake process would take place every time, even when you revisit a site. Sometimes, especially for large websites, they could be doing this handshake with a large number of users simultaneously. This is why some have complained that https connection actually slows your speed. The good thing is, many improvements have been made in recent years, especially with TLS 1.3, to achieve a faster speed as well as stronger security.
Most people notice the handshake process for the first time when it failed. Frankly speaking, there's little you can do to fix such an error because most of the time it's with the server's side. That said, we provide some ways for you to troubleshoot when this happens. One of them may work, right?

 

How to Fix the Handshake Failed Error

There are so many things happening in the process and any part can go wrong. We'll go through the most common causes one by one and give instructions on how to fix them. If the cause can be identified quickly, it could save you a lot of time.

Incorrect System Time

Incorrect system time is a rare case but it can happen due to accidental changes, and is super easy to fix. If your system's date and time are incorrect, they probably couldn’t match the SSL certificate's validity period, thus causing the handshake failed error. If not for specific and important reasons, NicSRS suggests that you do not change your system time because it can mess up a lot of things.

Browser Issue

 

You can try opening the same website with another browser and see if the issue persists. If it's totally normal with another browser, you'll know for sure that it's a browser error issue. If this is the case, you may want to check the browser’s settings or extensions/plugins. Reset the browser to default settings and disable the extensions. As you do this, try connecting to the website each time after one extension is disabled.
1. Click on the three dots icon in the top right corner of Chrome
2. Find "More tools" and select "Extensions”
3. Use the toggle to disable each extension


If you can't connect to the website with none of your browsers, the problem is on the server's side.

A Mismatch in the Protocols

 

A protocol mismatch means your browser and the server don't support the same TLS version to resume connection. If this is the cause, then probably you could do nothing about it. There are few websites that just don't support certain protocols. The major browsers have announced they would no longer support deprecated protocols such as TLS 1.0 and TLS 1.1. Check your browser settings to see if it supports TLS 1.2 or TLS 1.3. If not, it's suggested that you upgrade your browser to the more recent version or configure the browser to support the TLS version needed. Here are the steps to check which TLS/SSL versions your browser supports.
1. Click on the three dots icon in the top right corner of Google Chrome
2. Click on "Settings", scroll down until you see "Show advanced settings"
3. Click the "Change proxy settings" button in the "Network" section
4. Choose the "Advanced" tab, and you could check all the boxes to see if it's fixed.


(This is an example that doesn't support TLS 1.3)

Note that if your browser supports a newer version while the server supports an older version, do not go back to earlier browser versions in order to accommodate to the server.

Cipher Suite Mismatch

The Cipher Suite is the algorithm that the server and the browser pick for encryption. Generally speaking, most websites support many cipher suites so that the browser can always find an option and they could agree on using one. However, if the browser and the server have wildly different capabilities and cannot find a common cipher suite they could both use, the connection would terminate, leading to a handshake failed error. The way to fix this is pretty similar to the protocol mismatch. Upgrade your browser to the newest version. If it is already the latest one, this is probably not the reason. You can move on to the next cause.

Invalid Certificate

There can be several reasons that cause an invalid SSL certificate

1. An expired certificate.
2. The hostname in URL doesn't match the common name on the certificate.
3. Intermediate certificate is missing in the chain. That is, the certificate chain isn't complete, thus preventing the handshake from being completed.
4. Self-signed certificates: If you generate new certificates frequently, this could confuse the browser in path-building. Or the certificate isn't properly installed. The site can fix this by obtaining a certificate from trusted CAs or trusted certificate resellers like NicSRS.

SNI-ENABLED SERVER

If your browser is not SNI-enabled, you will not be able to communicate with an SNI-enabled server, because the server may not know which certificate to send, thus resulting in a failed handshake. If this is the case, a "Your connection is not private error" will appear and you will not be able to open the website. At present only some of the very old browser versions don't support SNI (server name indication), so the wisest thing for you to do is to upgrade your browser to a newer version.

After reading the above, you should know that you can't solve all the problems by yourself. If you are sure the problem is on the server's side, don't do anything lightly. Just inform the website administrator and let them fix it.
What you should never do when encountering a handshake failed error? If you decide to turn off the firewall to identify the cause, do not forget to turn it back on immediately! You may temporarily disable your firewall to see if the error warning goes away, but this can render you vulnerable and expose you to cyberattacks. Also, do not risk opening http sites.

 

Comments