525 SSL Handshake Failed
The HTTP 525 SSL Handshake Failed status code is an unofficial server error specific to Cloudflare. This error occurs when the SSL/TLS handshake between Cloudflare and the origin server fails.
Usage
Cloudflare is a content delivery network acting as a reverse proxy between clients and origin servers. The 525 error means Cloudflare reached the origin on the expected port but the SSL/TLS negotiation did not complete. The connection was established at the TCP level, but the two sides were unable to agree on a secure channel.
Common causes include:
- The origin server does not support the SSL/TLS protocol versions or cipher suites Cloudflare offers.
- The origin server is not configured for HTTPS on the port Cloudflare connects to.
- The origin's SSL certificate is misconfigured or does not match the expected hostname.
- A firewall or middlebox is interfering with the SSL/TLS negotiation.
Note
A 525 differs from 526 Invalid SSL Certificate: a 525 means the handshake itself failed (protocol mismatch, no shared ciphers), while a 526 means the handshake completed but the certificate did not pass validation.
SEO impact
Search engines treat Cloudflare 525 responses as server errors. Persistent SSL handshake failures reduce crawl rate and prevent indexing of affected URLs. Fixing the origin TLS configuration restores normal crawling.
Example
A client sends an HTTPS request through Cloudflare. Cloudflare attempts an SSL/TLS handshake with the origin server, but the handshake fails due to a protocol mismatch.
Request
GET /secure/login HTTP/1.1
Host: www.example.re
Accept: text/html
Response
HTTP/1.1 525 SSL Handshake Failed
Date: Sun, 02 Mar 2026 10:40:00 GMT
Content-Type: text/html
Server: cloudflare
CF-RAY: 8a1b2c3d4e5f6-FRA
<html>
<head><title>525 SSL Handshake Failed</title></head>
<body>
<h1>Error 525</h1>
<p>SSL handshake failed</p>
</body>
</html>
How to fix
A 525 only appears when the Cloudflare SSL/TLS mode is set to Full or Full (Strict). The handshake failure happens between Cloudflare and the origin, not between the client and Cloudflare.
Confirm the origin has a valid SSL certificate
installed. Run openssl s_client -connect origin:443 -servername example.re from an external host to test
the handshake directly. If the connection fails without
Cloudflare in the path, the origin's TLS configuration
is the problem.
Install a free Cloudflare Origin CA certificate on the origin for a guaranteed-compatible setup. Generate the certificate in the Cloudflare dashboard under SSL/TLS > Origin Server > Create Certificate. Copy the certificate and private key to the origin and configure the web server to use them.
Verify the origin supports TLS 1.2 or higher.
Update the origin's ssl_protocols directive
(Nginx) or SSLProtocol directive (Apache) to
include TLS 1.2 and TLS 1.3. Modern TLS versions
are recommended for best compatibility.
Check cipher suite compatibility. The origin must
support at least one cipher from Cloudflare's
supported cipher list. Modern cipher suites using
ECDHE key exchange are recommended but not strictly
required. Use the Qualys SSL Server Test
(ssllabs.com/ssltest) to audit the origin's
supported ciphers and identify mismatches.
Confirm the origin supports Server Name Indication (SNI). Cloudflare sends the SNI extension during the handshake. Origins behind shared hosting without SNI support fail to present the correct certificate.
Review the origin web server error logs at the
timestamps matching 525 occurrences. Apache logs SSL
errors in the SSL error log. Nginx includes SSL errors
in the standard error log (increase the error_log
level to info or debug for more detail).
Takeaway
The 525 SSL Handshake Failed status code is a Cloudflare-specific error generated when the SSL/TLS handshake between Cloudflare and the origin server does not complete successfully.
See also
- 526 Invalid SSL Certificate
- 520 Web Server Is Returning an Unknown Error
- Troubleshooting Cloudflare Errors
- HTTP status codes