Server sent fatal alert: handshake_failure

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.hifives.in

I ran this command:https://www.ssllabs.com/ssltest/analyze.html?d=www.hifives.in

It produced this output:
|Android 5.0.0|Server sent fatal alert: handshake_failure|
|—|---|
|Android 6.0|Server sent fatal alert: handshake_failure|
IE 11 / Win Phone 8.1 R Server sent fatal alert: handshake_failure

My web server is (include version): Nginx

The operating system my web server runs on is (include version): CentOS

My hosting provider, if applicable, is: Amazon Web Services

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No. Only using SSH/ SFTP

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):NA

Hi,

What’s the issue with your error message?
The “handshake failure” generally means there’s not a match between your server configuration for ciphers or protocols and the clients. You can choose to compromise and adjust your site condifuration or lose these competability.

Due to these errors (especially Android 6), the page is being blocked by Googlebot. Please the way the homepage is being read by Google:

https://search.google.com/structured-data/testing-tool/u/0/#url=https%3A%2F%2Fwww.hifives.in

https://developers.google.com/speed/pagespeed/insights/?url=www.hifives.in

I’m not sure I understand the logic used in choosing these three ciphers:

I would try more, like:


[you can exclude the 128 bit ciphers if you are ready dead set on using 256 only]

1 Like

That would exclude Android 5 and 6 again, as they only have 128 bit ciphers with forward secrecy (which is obviously something you’d want). Or you’d need to include the “old” Chacha20 ciphers. Not sure if that’s wise though?

In any case, the handshake failure is indeed a mismatch between server ciphers and client ciphers.

1 Like

Strangely enough Google Smartphone Bot is using an older version of Android while crawling, so it is getting blocked while crawling.

This is what Googlebot (Smartphone) is using:

Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/W.X.Y.Z‡ Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)