How to Fix “Error Code: ssl_error_handshake_failure_alert” in Browsers?
The SSL handshake error is quite common for a website that has to verify the legitimacy of the user accessing it (sometimes through a hardware cryptographic device or card). The error is shown by all the major browsers (Firefox, Chrome, Edge, etc.) on all the major desktop OS (Windows, Mac, Linux, etc.). Usually, the following type of message is shown:
The SSL handshake error is the failure of communication between the server and client by using the SSL protocol. This can be caused by factors on the client-side as well as from the server-side. Following are mainly reported to cause the handshake error:
- Corrupt Browser Data: If the browser’s data (cookies, cache, etc.) are corrupt, then it may fail to properly load the certificate required by the website, leading to the SSL handshake issue.
- Misconfiguration of the Browser’s or Java Security: If the browser or Java security “thinks” a website as risky, then it may not open the website with an SSL handshake alert.
- Interference from the Security Application of the System: If the antivirus/firewall of the system is blocking a particular packet of the data (“thinking” it as risky), then the browser may fail to load the website with an SSL handshake alert.
- Improper Installation of the Certificate: Certain websites require their certificates to be installed in a particular location in the OS and if the certificate is not present there but is present in another place, then the website may not respond to the browser, causing the browser to show the SSL handshake failure alert.
Update the Browser to the Latest Build
The browser may show the SSL_error_handshake_failure_alert if it is outdated as it can lead to incompatibility with different websites. Here, updating the browser to the latest version may solve the problem. For elucidation, we will discuss the process for the Google Chrome browser. But before that, if the problematic website requires a cryptographic device or card to identify the user, make sure the proper driver of the device is installed and being used.
- Open the Chrome browser and in the top right corner, click on three vertical ellipses to open the Chrome menu.
- Now select Settings and in the left pane, head to the About Chrome tab.
- Then, in the right pane, make sure the Google Chrome is updated to the latest build, and afterward, check if the SSL handshake error is cleared.
- If not and the issue started to occur after a browser update, then check if installing an older version of the browser solves the handshake failure issue.
Delete the Problematic Certificate in the Browser’s Certificate Manager
If the website’s certificate in the browser’s certificate manager is corrupt, then the browser may throw an SSL_error_handshake_failure_alert. In this scenario, a user can solve the problem by deleting the problematic website’s certificate in the browser’s settings. For elucidation, we will discuss the process for the Firefox browser.
- Launch Firefox and click on the hamburger icon (near the top right corner).
- Then, select Settings and in the left pane, head to the Privacy & Security tab.
- Now, scroll down till the Certificates section is shown, and then click on the View Certificates button.
- Afterward, head to the Your Certificates tab and select the problematic website’s certificate.
- Now click on Delete and then confirm to delete the certificate. Afterward, make sure there is no certificate from the problematic website in the Server’s tab and any relevant CA in the Authorities tab.
- Then relaunch the Firefox browser and afterward, check if the SSL handshake error is cleared.
If that did not work, then check if using another network or network type (e.g., if encountering an issue on ethernet, then using Wi-Fi) solves the problem.
Clear the Browser’s Cookies, Cache, and Data
If any of the browser’s cookies, cache, and data are corrupt, then the browser may show an SSL handshake error. In this context, clearing the browser’s cookies, cache, and data may solve the SSL error at hand. For elucidation, we will discuss the process of clearing the cookies, cache, and data of the Chrome browser.
- Launch the Chrome browser and in the top right corner, click on the three vertical ellipses.
- Now hoover over More Tools and select Clear Browsing Data.
- Then, in the Advanced tab of the resulting window, click on Sign Out (near the bottom of the window) to keep the data in the Google account.
- Now select the Time Range of All-Time and checkmark all the categories.
- Then click on the Clear Data button and once done, restart the system.
- Upon restart, check if the SSL_error_handshake_failure_alert is cleared.
Try Another Browser
The SSL_error_handshake_failure_alert could be a result of a bug in the browser in use. Here, using another browser may let the user access the problematic website without issue.
- Download and install another browser on the system (if already not present). It will be better to use the OS preferred browser (like Edge for Windows, Safari for Mac, Firefox for Linux, Chrome for Chromebook).
- Now launch the second browser and check if the website can be accessed without triggering the SSL handshake error.
Reset the System’s Internet Options to the Defaults
On a Windows machine, the Internet Options cover many of the basic settings used by the OS and applications to access the Internet. A mere misconfiguration of the Internet Options or if its certificate manager is corrupt, then resetting the Internet Options to the defaults may solve the problem.
- Click Windows, search, and open Internet Options.
- Now, head to the Advanced tab and click on Restore Advanced Settings.
- Then, in the section of Reset Internet Explorer Settings, click on Reset and checkmark Delete Personal Settings.
- Now click on Reset and afterward, restart your system.
- Upon restart, check if the browser’s SSL handshake error is cleared.
Add the Website as Trusted in the Browser
If the issue is still there, then adding the website as trusted in the browser may solve the problem. For illustration, we will guide you through the process on the Firefox browser.
Warning:
Advance at your own risk as adding a risky website as trusted in the browser’s settings may expose data, system, and network to the threats.
- Launch the Firefox browser and head to the problematic website.
- Now copy the complete URL of the website from the address bar and enter the following in the address bar:
about:config
- Then click on Accept Risk and Continue.
- Then enter the following in the Search Preference Name box:
tls.insecure_fallback_hosts
- Now click on the Edit icon and enter the URL of the problematic website.
- Then click on the Tick icon and relaunch Firefox.
- Upon relaunch, check if the problematic website can be opened without initiating an SSL error at hand. Keep in mind that you may see a yellow warning popup on the top of the website from Firefox not to enter confidential information on the website.
Edit the Browser’s Security Settings
The SSL handshake error could be a result of a poor configuration of the problematic website and editing the browser’s security may let a user access the website in question. For elucidation, we will discuss the process for the Firefox browser.
Warning:
Proceed at your own risk as editing the browser’s security settings may expose your system, data, and network to threats.
- Launch Firefox and enter the following in its address bar:
about:config
- Now click on Accept the Risk and Continue.
- Then, enter the following in the Search Preference Name:
tls.enable_0rtt_data
- Now click on the toggle button to set the above-mentioned setting to False and relaunch the Firefox browser to check if the SSL handshake failure issue is resolved.
Reinstall the Burp Suite
If your organization is using the Burp Suite to safely test and analyze its web applications, then a misconfiguration of the Burp Suite may lead to the SSL handshake failure alert. In this case, reinstalling the Burp Suite may solve the problem.
- Back up the JAR file of the previous Burp file and Loader.
- Now, right-click Windows and select Apps & Features.
- Then, expand the Burp Suite and click on Uninstall.
- Now confirm to uninstall the Burp Suite and afterward, restart your system.
- Upon restart, download and install the latest version of the Burp Suite. During the process, make sure the Burp Suite is being installed on the OS drive (e.g., C).
- Now copy the backed-up Burp file and loader to the following location:
C:\Burp_Suite\jre\bin
- Then, click Windows, search for Command Prompt, right-click on its result, and select Run as Administrator.
- Now execute the following (make sure to replace the X with the original values):
C:\Burp_Suite\jre\bin\java.exe -javaagent:BurpSuiteLoader_v.XXX.jar -noverify -jar burpsuite_pro_vXXX.jar
- Then launch a browser (like Firefox) and check if the SSL handshake problem is solved.
Use the Certificate in the Program Files Directory for Gemalto/Thales DIS CMS
If your organization is using a Gemalto (or now known as Thales DIS) application/CMS, then using its certificate from the Program Files, not from the Program Files (X86) may solve the problem as the 64-bit client browsers look for the certificate in the 64-bit directory of the Program Files. For illustration, we will discuss the process for the Firefox browser.
- Launch the Firefox browser and open its menu.
- Now select Settings and steer to the Privacy & Security tab.
- Then scroll down and click on the Security Devices button (in the Certificates section).
- Now click on Load and in the Module Name, type:
Gemalto PKCS#11 Module
- Then click on Browse and navigate to the following path to select gclib.dll:
C:\Program Files\Gemalto\Classic Client\BIN\gclib.dll
- Now click on Open and afterward, click on OK.
- Then relaunch Firefox and check if the SSL handshake issue is resolved.
Add an Exception for the Website in the Java’s Security
If the website requires Java on a client machine but Java “thinks” the website unsafe, then it may lead to the browser’s SSL handshake error. Here, adding an exception for the website in Java’s security may solve the problem.
- Click Windows, type, and open Configure Java.
- Now, head to the Security tab and click on Edit Site List.
- Then click on Add and enter the URL of the problematic website.
- Now click on OK and afterward, restart your system.
- Upon restart, check if the SSL error is cleared.
Disable or Uninstall the Antivirus/Firewall of the System
A browser may show the SSL handshake failure alert if the antivirus of the system is changing the website data in a way that the browser does not “think” safe. In such a case, disabling the antivirus/firewall of your system may clear the SSL handshake error. Kaspersky is reported to cause the issue under discussion.
Warning:
Advance at your own risk as disabling or uninstalling the antivirus or firewall of a system, may expose your data, system, and network to threats.
Disable the Antivirus/Firewall of the System
- Right-click on the security product (e.g., ESET) in the system’s tray (you may have to show hidden icons) and select Pause Protection.
- Now confirm to disable the security application and again, right-click on the security product in the system tray.
- Now select Pause Firewall and if asked to, confirm to disable the ESET Firewall.
- Then check if the browser can access the website in question without initiating the SSL handshake error.
Uninstall the 3rd Party Antivirus/Firewall
If disabling the antivirus/firewall did not work, then uninstalling the antivirus/firewall solve the problem.
- Right-click Windows and select Apps & Features.
- Now expand the security application (like ESET) and click on Uninstall.
- Then confirm to uninstall the security application and afterward, reboot your system.
- Upon reboot, check if the SSL handshake error is cleared.
If your organization is using a hardware firewall console, then make sure the cable connecting the hardware firewall to the system is the one recommended by the firewall OEM as incompatible cable may trigger the SSL handshake failure alert in a browser.
Re-Add the Problematic Certificate
If the problematic website requires a certificate installed on the system (either provided through the email or downloaded from an online resource) and the certificate is not properly installed on the system, then reinstalling the certificate on the system may solve the problem. Firstly, make sure to download or export the problematic certificate.
- Right-click Windows and select Run.
- Now execute the following:
certmgr.msc
- Then head to the Personal>> Certificates tab and check if the problematic certificate is present there. If the certificate issuer requires a certificate in another tab, then make sure the certificate is present in the relevant tab.
- If the certificate is present in the relevant tab, double-click on it and check if its properties/validity.
- If everything is fine, then click on Windows, search, and open Internet Options.
- Now steer to the Content tab on the Internet Option and click on Certificates.
- Then check if the certificate from the problematic website is shown in the relevant tab (usually, Personal).
- Now double-click on the certificate and check if its properties/validity.
- Then make sure the certificate has a valid public key associated with it. You may find it in the Details tab of the certificate properties.
- Now head to the Advanced tab on Internet Options and make sure to enable the TLS entries and uncheck the SSL boxes.
- Then apply your changes and restart the browser to check if the handshake failure error is cleared.
If the certificate is not shown in the proper tab of the Certificate Manager or cannot be reinstalled, you may refer to the official Microsoft page that explains the process in detail.
Import the Certificate to Firefox
If you are encountering the issue with the Firefox browser, then keep in mind that Firefox does not use many of the certificates in the OS certificate manager and the user may have to import the certificate to the Firefox.
- Launch the Firefox browser and open its menu.
- Now select Settings and click on the Privacy & Security tab (in the left pane).
- Then scroll down and click on View Certificates.
- Now, in the Your Certificates tab (or the one recommended by the issuer), click on Import and Browse to the certificate.
- Then select the certificate and apply your changes.
- Now relaunch Firefox and check if the SSL handshake issue is resolved.
If the issue is still there, then you may contact the problematic website to check if their security settings are properly working. If your organization’s infrastructure is using older hardware, then you may use an older OS (like XP) in a VM to access the problematic devices.
Guidelines for Server-Related Issues
As it is practically impossible to cover the server-related causes (different machines, different devices, different applications, etc.) leading to the handshake error at hand, here are some guidelines reported by users to clear out the handshake error:
- Check if deleting the following in the server configuration solves the problem:
SSLVerifyClient require SSLVerifyDepth 10
- If using Apache, then check if setting the SSLCACertificatePath to ~~~~~~/ca/certs/ca.cert.pem and changing SSLVerifyDepth 1 to SSLVerifyDepth 10. Then, change the client certificates to PEM (from PFX). Afterward, check if the SSL issue is resolved.
- Check if regenerating the certificate with UTF8Stringsfor (not with PrintableStringsfor) solves the handshake issue.
- If your organization is using SAP Cloud Connector, then exit the Cloud Connection, open the props.ini file, add the following line in the #jvm section and check if that resolves the SSL problem:
-Djdk.tls.server.protocols=TLSv1.2
- Check if configuring the server to use the two-way TLS clears out the handshake error.