Introduction

A TLS version mismatch between a proxy and origin breaks the secure hop behind the scenes even when the public site still looks correctly configured from the outside. Users may see 502, 525, handshake, or upstream errors because the proxy and origin cannot agree on a protocol version to use. The fix is to inspect the internal TLS relationship directly instead of focusing only on browser-facing certificates.

Symptoms

  • A proxy, CDN, or load balancer reports handshake failures to the origin
  • Users see intermittent SSL, 502, or origin connectivity errors
  • Public certificate checks pass, but upstream traffic still fails
  • The issue started after hardening TLS settings or upgrading a proxy or web server
  • One environment works while another with the same app code does not

Common Causes

  • The proxy requires a newer TLS version than the origin supports
  • The origin listener was hardened to disable versions the proxy still uses
  • Different backend nodes expose different protocol support during rolling deploys
  • Legacy origin services or old OpenSSL builds cannot negotiate modern settings
  • Proxy configuration changed independently from origin TLS policy

Step-by-Step Fix

  1. Confirm which component terminates client TLS and which component negotiates the proxy-to-origin TLS hop.
  2. Review the supported TLS versions on both sides of the internal connection rather than assuming browser compatibility is enough.
  3. Check whether recent hardening changes disabled a protocol version still required by the proxy or load balancer.
  4. Compare backend nodes or origin pools to see whether only part of the fleet exposes the mismatch.
  5. Inspect proxy and origin logs for exact handshake negotiation failures, not just generic upstream errors.
  6. Align protocol support to the strongest mutually supported version your infrastructure can reliably serve.
  7. Reload the proxy and origin after correcting TLS policy so stale listeners do not continue presenting old settings.
  8. Retest from the proxy layer and through the public site to confirm the internal handshake now completes consistently.
  9. Keep internal TLS requirements documented separately from browser-facing TLS policy so later hardening does not break the origin hop.