Irrespective of whether you’re an end-user or a site owner, running into SSL errors can be extremely disruptive to the overall browsing experience, and they do very little to boost trust and confidence in a website. But here’s the pickle – the site might be loading correctly for a majority of client browsers indicating an issue with your client, or it could be a server issue causing the error. In this article, we’ll explore the problems that can potentially cause the fault on both sides, but first, let’s get a brief overview of how SSL handshake works.
What is the SSL/TLS Handshake?
Whenever your browser attempts to connect to a website that employs an SSL/TLS certificate for encrypted communication, it does a handshake to agree on the connection parameters that’ll be used during communication.
Let’s do a quick study of the negotiation process:
- After the three-way handshake, the SSL/TLS handshake begins with an exchange of hello messages between the client and the server.
- The hello messages start the protocol negotiation, encryption standards supported by both ends are communicated, and the server shares its certificate.
- The client establishes the validity of the certificate, and once the verification process completes, it generates a pre-master secret based on the public key of the server (obtained from the certificate previously shared). The client key exchange completes once this secret key is encrypted using the server’s public key and shared with the server.
- Next, the symmetric key is calculated independently on both ends, depending on the value of the pre-master key.
- Both the client and the server send a change cipher spec message to indicate that going forward, the data transmission will proceed using symmetric encryption.
Probable Causes of SSL/TLS Handshake Failed Error and How to Fix Them?
TLS handshake might not be the easiest process around, and though there’s a possibility that it might fail and you’d be left with an error, there’s a very good chance to fix that and get going with a secure communication channel. Website visitors can't fix all errors since some arise due to issues on the server that needs to be taken care of by the site owner.
Most of the client-side errors are trivial and can be easily fixed with an update or a small change in settings. Nevertheless, even these minor glitches can interrupt the entire handshake process, so let’s go over what they are and how to resolve them.
Incorrect System Time
Because SSL/TLS certificates come with a specific time duration for which they’re valid if your system date and time settings are not correct, then that could be causing the handshake to fail. Fixing it is fairly simple since all you need to do is set the system time correctly.
Sometimes it’s just your browser acting weird. Solution? Try a different one. Determining the exact plugin that might be misfiring, or the particular misconfiguration that’s causing the connection to a legitimate site to fail, can be a tad bit difficult. Once you’re certain that it is a browser issue and rule the others out, you can simply reset the browser to default settings and disable plugins (do this one at a time to bring out the plugin getting in the way).
A man in the middle attack is said to occur if a hacker intercepts your traffic to steal data. However, a firewall or antivirus that inspects traffic to weed out anything malicious or some configuration on an edge device on the server-side network could as easily be the culprit causing the connection to fail. Depending on where the issue arises, the fix could either be on the client-side or the server-side. If it is on the client-side, never disable your firewall or antivirus instead create an exception for the site or add it to a whitelist.
The majority of the SSL errors involve settings that need to be tweaked on the server or are a result of server-side issues. While most can be fixed with a simple update, some errors are best left alone, especially when it comes to older deprecated protocols supported by the client. Let’s take a look:
This error indicates that the version of TLS being used or supported by the client and the server do not match. The error can occur on either side, but the important thing to remember is always to use and support the latest protocol versions (TLS 1.2, TLS 1.3) as using an older version is never a good idea. For example, if the client browser supports TLS 1.1, and the server uses TLS 1.2, the client needs to upgrade the browser or add support for the latest version.
Cipher Suite Mismatch
Most websites have support for various cipher suites so it can communicate with most clients and can find an encryption standard they can agree upon. However, when this fails to happen, we usually end up with a cipher suite mismatch. As with protocol versions, the idea is to move forward and support the latest versions because they typically offer more security.
Incorrect SSL/TLS Certificate
If your site gets flagged as an insecure connection on a client browser, it could potentially indicate a problem with the SSL certificate, such as an expired certificate, a name mismatch, or a broken chain of trust.
Incorrect Host Name
A hostname mismatch occurs when the common name on the certificate is different from the hostname. Typical fixes involve reissuing the certificate or using a wildcard cert.
Incorrect Certificate Chain
When a browser receives the server certificate, it needs to be able to trace its way back to the root CA in its trust store. If this fails, it could be due to a missing intermediate root certificate. Depending on where you purchase your cert from, the CA bundle should be available on the site or shared with you via email. You can use an SSL checker to verify that you’ve installed your certificate correctly on the web server by entering the IP or the URL.
The maximum validity period for an SSL/TLS certificate is two years (plus three months at most if you’re carrying over from your previous certificate). Failure to renew your certificates on time can lead to this error, and the solution is to get a valid certificate issued and installed on your server.
When it comes to self-signed certificates, while they’re commonly used on internal networks, using them on the public internet will cause browser errors. Clients do not usually have their root CA in their trust store by default, and it needs to be added manually before the browser can trust the certificate.
The security impact of visiting a site with an invalid SSL certificate can be significant because the communication is unencrypted, and an attacker can easily intercept and read all the information. Additionally, it could be indicative of a malicious website that can give you a whole world of headaches. If the site you’re visiting is unable to offer you a safe browsing experience, perhaps you’re better off not visiting it at all. As a site owner, every time a user lands on your page and sees an insecure connection warning or SSL error messages, your brand takes a hit. It is, therefore, practical to invest in a certificate from a trusted CA with access to a support team to help fix any installation issues or errors.