TLS / HTTPS · Check
TLS handshake failed — diagnosing why clients can't establish a session
When the TLS handshake fails, browsers and API clients can't reach your site, or they get pushed through warnings users learn to click past. The cause is usually a chain mismatch, a missing intermediate cert, an SNI/hostname mismatch, or port 443 not actually answering with TLS.
Real-world risk
Clients cannot establish a trusted encrypted session, so the site may be unreachable or users bypass security warnings.
Fix steps (in order)
- Fix the certificate chain (intermediate certs), hostname/SAN match, and that port 443 listens with TLS.
- Confirm the clock on the server is correct and the cert is not revoked or mis-issued.
- Test with: openssl s_client -connect host:443 -servername host
Topic explainer
TLS versions explained: 1.0, 1.1, 1.2, 1.3 and what to disable →
What's actually different between TLS 1.0, 1.1, 1.2, and 1.3 — cipher suites, forward secrecy, performance — and which versions to disable for compliance and security.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (tls_handshake_failed) clears once the externally-observable signal is in place.