,{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is a Cloudflare Origin Certificate?","acceptedAnswer":{"@type":"Answer","text":"A free TLS certificate issued by Cloudflare for origin servers. Trusted by Cloudflare in Full Strict mode, not by browsers. Valid up to 15 years. Generated under SSL/TLS, Origin Server in the dashboard."}},{"@type":"Question","name":"Does 525 affect all visitors simultaneously?","acceptedAnswer":{"@type":"Answer","text":"Yes. The failure is between Cloudflare and origin. All users see 525 at the same time when origin TLS is broken or missing."}}]}

Cloudflare Error 525: SSL Handshake Failed

Quick reference

Code525 SSL Handshake Failed
CategoryCloudflare Edge Error
Standard HTTP?No
Vendor referenceCloudflare docs

What 525 means

Cloudflare 525 SSL Handshake Failed means the TCP connection to the origin server succeeded, but the TLS handshake that follows failed. Cloudflare could not negotiate an encrypted session with the origin server. This only occurs when Cloudflare SSL mode is Full or Full (Strict) — both modes require an encrypted connection between Cloudflare and the origin.

In Flexible mode, Cloudflare connects to origin over plain HTTP and never attempts a TLS handshake, so 525 cannot occur. In Full and Full (Strict) modes, Cloudflare initiates TLS to the origin on port 443 (or another supported HTTPS port). If that handshake fails for any reason, 525 is returned.

The distinction between 525 and 526: 525 is a TLS protocol-level failure — the session could not be established at all. 526 is a certificate validation failure — the TLS session was established but the certificate inside it was rejected. 525 means the handshake itself broke down before a certificate could even be evaluated.

SSL mode comparison

SSL ModeCloudflare to originCan produce 525?
OffHTTP onlyNo
FlexibleHTTP onlyNo
FullHTTPS, cert not verifiedYes
Full (Strict)HTTPS, cert must be validYes

Diagnosing the handshake failure

Test the TLS handshake directly to the origin IP using openssl, bypassing Cloudflare:

openssl s_client -connect ORIGIN_IP:443 -servername yourdomain.com

# Successful output includes:
# SSL-Session: Protocol: TLSv1.3
# Verify return code: 0 (ok)

# Failure outputs:
# SSL routines:SSL3_GET_SERVER_HELLO:no shared cipher
# SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
# connect: Connection refused  (no TLS listening on 443)

Check supported TLS versions on origin:

openssl s_client -connect ORIGIN_IP:443 -tls1_2 -servername yourdomain.com openssl s_client -connect ORIGIN_IP:443 -tls1_3 -servername yourdomain.com # If both fail, the origin has no TLS configured at all

Confirm nginx is listening on port 443:

ss -tlnp sport = :443 # Empty output means nothing is listening — configure SSL on origin

Fixes by cause

No TLS certificate on origin: Install a certificate. The easiest approach is a free Cloudflare Origin Certificate from the Cloudflare dashboard under SSL/TLS → Origin Server → Create Certificate. Valid for up to 15 years, trusted by Cloudflare in Full Strict mode. Install on nginx:

server { listen 443 ssl; server_name yourdomain.com; ssl_certificate /etc/nginx/ssl/origin.pem; ssl_certificate_key /etc/nginx/ssl/origin.key; ssl_protocols TLSv1.2 TLSv1.3; }

Outdated cipher suites — no shared cipher: Update nginx to offer modern ciphers:

ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on;

TLS version too old: Cloudflare requires TLS 1.0 minimum but strongly recommends TLS 1.2+. If the origin only supports SSLv3 or TLS 1.0 with broken cipher sets, the handshake fails. Upgrade the origin TLS configuration or the OpenSSL version.

Temporary workaround: In the Cloudflare dashboard, switch SSL mode from Full (Strict) to Full. Full mode does not verify the certificate, so it tolerates handshake issues that stem from certificate problems. However, if the cipher negotiation itself fails, even Full mode returns 525 — in that case, the origin TLS configuration must be fixed.

525 vs 526

CodeTLS sessionRoot cause
525Failed to establishNo cert, unsupported cipher/protocol
526Established but cert rejectedSelf-signed, expired, hostname mismatch

Frequently asked questions

What is a Cloudflare Origin Certificate?

A free TLS certificate issued by Cloudflare for installation on origin servers. It is trusted by Cloudflare edge servers in Full Strict mode but not by browsers directly. Valid up to 15 years. Generated in the Cloudflare dashboard under SSL/TLS, Origin Server.

Can 525 occur with a valid Let's Encrypt certificate?

Yes, if the TLS handshake fails for a protocol or cipher reason independent of the certificate content. The most common scenario is the origin serving the certificate on the wrong port or not listening on port 443 at all. Confirm with openssl s_client.

Does 525 affect all visitors simultaneously?

Yes. The failure occurs between Cloudflare and origin, not between browser and Cloudflare. All users see 525 at the same time if the origin TLS is broken or missing.

What Cloudflare ports support HTTPS to origin?

Cloudflare connects to origin HTTPS on these ports: 443, 2053, 2083, 2087, 2096, 8443. The default is 443. Configure the origin TLS listener on one of these ports for Cloudflare to reach it.

Related guides

Cloudflare 526 · SSL Handshake Failed · Cloudflare 520 · Cloudflare 521 · ERR_CERT_COMMON_NAME_INVALID

Server Errors Hub · All Guides · Home