How is 525 different from 526?

525 means the TLS handshake between Cloudflare and your origin never completed — no certificate, closed port 443, or an incompatible TLS version/cipher. 526 means the handshake completed but the origin certificate failed validation under Full (Strict) — expired, untrusted, or wrong hostname. 525 is a connection failure; 526 is a trust failure.

Does 525 mean my visitors saw a broken certificate?

No. The browser-to-Cloudflare leg is fine. 525 is the back-end leg: Cloudflare could not negotiate TLS with your origin server. Visitors see Cloudflare's error page, not an origin certificate warning.

Will switching SSL mode to Flexible fix it?

It hides the error, because Flexible talks to your origin over plain HTTP and skips the handshake entirely. That also leaves the Cloudflare-to-origin leg unencrypted. Use it only as a brief stopgap, then fix the origin certificate and move back to Full (Strict).

Views: 12

525 SSL Handshake Failed (Cloudflare) Fix

Cloudflare Error 525 means the TLS handshake to your origin failed. Check the origin cert, port 443, and TLS version in 3 steps. Free instant check, no sign-up.

Check your domain for this issue now

Free, no sign-up. Runs the exact check this guide describes and shows what to fix.

Problem

Cloudflare returns Error 525: SSL handshake failed. The visitor reached Cloudflare, but Cloudflare could not complete a TLS handshake with your origin server.

Symptoms

Cloudflare’s branded error page shows Error 525.
The site uses Cloudflare SSL/TLS mode Full or Full (Strict) (525 does not occur in Flexible mode).
The failure may be constant, or intermittent under load.

Top 3 Causes

The origin has no valid certificate on port 443 - In Full or Full (Strict) mode, Cloudflare connects to the origin over HTTPS. If the origin serves no certificate, or port 443 is closed or not listening for TLS, the handshake cannot start.
TLS version or cipher mismatch - The origin only offers protocols or ciphers Cloudflare will not negotiate (for example TLS 1.0/1.1 only), or the origin requires a client certificate Cloudflare is not sending. The handshake begins and then fails.
A firewall is dropping Cloudflare, or the origin is saturated - The origin firewall blocks Cloudflare’s IP ranges on 443, or the origin is too overloaded to complete handshakes — which shows up as intermittent 525s.

Diagnose with DechoNet

SSL Check against your origin hostname or IP to confirm it serves a valid certificate over TLS on port 443.
Port Check to verify port 443 is open and reachable on the origin.

Resolution Checklist

Test the origin directly, bypassing Cloudflare: openssl s_client -connect ORIGIN_IP:443 -servername yourdomain.com. A clean handshake should print the certificate chain; a failure points straight at the origin.
If the origin has no certificate, install one. Cloudflare’s free Origin CA certificate is trusted by Full (Strict) and is the simplest fix.
Confirm the origin offers TLS 1.2 or 1.3 and a modern cipher suite; an origin stuck on TLS 1.0/1.1 will be refused.
Allow Cloudflare’s published IP ranges through the origin firewall on port 443.
If the origin requires mutual TLS, configure Authenticated Origin Pulls so Cloudflare presents the expected client certificate.
Re-run SSL Check against the origin to confirm the handshake now succeeds, then reload the site.

When to Escalate

Escalate to your platform provider (Azure App Service, managed load balancers, and similar) if you cannot control the cipher suite or certificate the origin presents.
Intermittent 525s under traffic usually point to origin saturation, keepalive limits, or handshake timeouts rather than the certificate — investigate origin capacity.