In person, a handshake can be used to greet someone or finalize an agreement with them. The same is true online.
When devices on a network — say, a browser and a web server — share encryption algorithms, keys, and other details about their connection before finally agreeing to exchange data, it’s called an SSL handshake. During this handshake, the browser and server might ask to see each other’sSSLcertificatesto verify them.
This handshake is essential for establishing a secure connection before transferring data, so it’s important to understand what an SSL handshake is and what to do if it fails.
![→ Download Now: SEO Starter Pack [Free Kit]](https://no-cache.hubspot.com/cta/default/53/1d7211ac-7b1b-4405-b940-54b8acedb26e.png)
SSLHandshake
The SSL handshake is the process in which a client and server establish the encryption algorithms and secret keys they will use to communicate with each other securely, and exchange and validate each other’s digital certificates.
Note:SSLand TLS are both cryptographic protocols that enable clients and servers operating over a network to communicate with each other securely. TLS has replaced SSL, but SSL is still a more commonly used term so we’ll continue to use it in this post.
SSLHandshake Steps
The exact steps in an SSL handshake vary depending on the version of SSL the client and server decide to use, but the general process is outlined below.
- The client says hello.This “client hello” message lists cryptographic information, including the SSL version to use to communicate with each other. It also lists which encryption algorithms it supports, which are known as Cipher Suites.
- 服务器响应Hello。This “server hello” message contains important information, like which CipherSuite it chose, and its digital certificate. It might also request the client’s certificate.
- The client verifies the server’s certificate.它还发送了几个字节字符串,其中包括允许客户端和服务器同时计算加密后续消息的秘密键,包括“完成”消息。如果服务器发送客户端证书请求,它还将发送一个包含其自己的私钥和数字证书的字节字符串。
- 服务器验证客户端的证书。仅当需要客户身份验证时,此步骤才发生。
- The client says “I’m finished.”This “finished” message indicates that the client has completed its part of the handshake.
- The server says “I’m finished, too.”此“完成”消息表明该连续已完成握手的一部分。
For the remainder of the session, the server and client can now exchange messages that are encrypted with the same secret key, which was shared in step three. This is known as symmetric encryption. You can learn more about symmetric encryption, and how it differs from asymmetric encryption, in thispost。
如果过程顺利进行,则上述步骤将发生。但是,如果不是怎么办?在下面,我们将介绍如何解决“ SSL握手失败”错误消息。
什么是SSL握手失败?
SSLHandshake Failed is an error message that occurs when the client or server wasn’t able to establish a secure connection.
This might occur if:
- The client is using the wrong date or time.
- The client is a browser and its specific configuration is causing the error.
- The connection is being intercepted by a third party on the client-side.
- 客户端和服务器不支持相同的SSL版本。
- The client and server are using different Cipher Suites.
- The client or server’s certificate is invalid.
SSL握手失败的错误消息可能会出现不同,具体取决于您使用的客户端应用程序或您要与之通信的服务器。例如,在GitHub, it will look something like this:
If you’re using Cloudflare, on the other hand, an SSL Handshake Failed will appear as a 525 error that looks something like this:
Now that you know some of the causes of the SSL Handshake Failed error, let’s look at some solutions.
How to Fix SSL Handshake Failed
- Correct the time and date on the client device.
- Try another browser.
- Add website to allowlist.
- Update browser to use the latest SSL protocol.
- 检查浏览器和服务器支持是否有密码套件。
- 验证您的SSL证书是准确且有效的。
1. Correct the time and date on the client device.
Let’s start with the easiest fix. If the system time and date is incorrect on your computer or device, then it can cause the SSL Handshake Failed error. That’s because time is essential when it comes to SSL certificates: they have finite lifespans and become invalid past their expiration date.
如果您检查系统的时间和日期,并且正确,请继续进行下一步。
2. Try another browser.
It’s possible that the browser you’re using is causing the SSL Handshake Failed error. It could be your settings, browser plugins, or another issue. To see if this is the problem, just switch to another browser.
假设您正在尝试使用Google Chrome连接到网站,并且在Safari中效果很好。在这种情况下,您必须缩小问题所在。返回并重置Google Chrome(或您使用的任何浏览器)到其默认设置并禁用所有插件。然后重新配置您的设置并逐一启用插件,测试您每次连接到网站的能力。您应该能够隔离导致SSL握手失败的特定设置或插件。
If you try another browser and you still see the SSL Handshake Failed error, then move on to the next step.
3. Add website to allowlist.
It’s also possible that your firewall is causing the SSL Handshake Failed error by intercepting your request for inspection. To rule it out as the cause, you can temporarily deactivate your firewall —but that can leave you vulnerable to attack.
Instead, try adding the website to your allowlist. Here’s the process for Google Chrome:
- On your admin console homepage, go to设备>铬。
- ClickSettings>用户和浏览器。
- Leave the top organizational unit selected (it’s selected by default). This will apply the setting to all users and enrolled browsers.
- Scroll to URL Blocking and enter the website you are trying to access underBlocked URL exceptions。
- Click救。
If you try visiting that site again and you still see the SSL Handshake Failed error, then move on to the next step.
4. Update browser to use the latest SSL protocol.
It’s possible that you’re getting the SSL Handshake Failed error because your device (the client) and server do not support the same SSL version, which is resulting in a protocol mismatch. For example, let’s say your browser only supports TLS 1.1 and your server only supports TLS 1.2 or 1.3 (the latest version). If these two try to establish a secure connection, then it will likely result in an SSL Handshake Failed error.
In that case, you’ll need to update your browser. Most updated versions of major browsers like Google Chrome have TLS 1.2 automatically enabled. However, even if it is updated, it’s important to make sure it’s configured to to support the latest TLS version.
Here’s the easiest way to check:
- 访问SSLLabs。
- Navigate toProjects。
- ClickSSLClient Test。
- Under Protocol Support, it will tell you whether your browser supports the latest versions of TLS.
If you verify that your browser and server are using the same protocol, then move on to the next step.
5. Check browser and server support for Cipher Suites.
您可能会获得SSL握手失败错误的另一个原因是客户端和服务器正在使用不同的密码套件。就像协议不匹配一样,对同一密封仪的客户和服务器没有相互支持的客户和服务器将无法建立安全的连接。
You can compare which Cipher Suites your browser support to which the server of the website you’re trying to visit supports by once again visitingSSLLabs。
- 首先,导航到Projects。
- ClickSSLClient Test。
- Scroll down to Protocol Features, where it will list which Cipher Suites your browser supports, in order of preference.
- Now, open SSL Labs in another tab, and navigate toProjects。
- ClickSSL服务器测试。
- Type in the domain name you are trying to visit that is resulting in the SSL Handshake Failed error.
- 向下滚动到配置,它将列出which Cipher Suites the server supports, in order of preference.
If you verify that your browser and server are using the same CipherSuite, then move on to the next step.
6. Verify your SSL certificate is accurate and valid.
Any number of issues on an SSL certificate can prevent an SSL handshake from being completed. This may result in an SSL Handshake Failed error or another error message that ultimately means the handshake failed. For example, you might see something like this:
例如,如果SSL证书的主机名称不正确,或者已超过其到期日期,则握手可能会失败。因此,重要的是要确保正确安装您的SSL证书并renewedwhen needed.
您可以使用在线工具the above-mentionedSSL服务器测试或者SSLShopper为了测试您的SSL配置是否在短短几分钟内安装,有效和受信任。
When a Client and Server Don’t Want to Shake Hands
Since an SSL handshake is an essential step in keeping data transferred over the internet secure, it’s important that users understand what the SSL Handshake Failed error means and how to fix it. By following the steps above, you should be able to resolve the issue and establish a secure connection between your device and the server you’re trying to connect to.
Originally published Oct 18, 2021 7:00:00 AM, updated October 18 2021
Topics:
虚拟主机Related Articles
