TLS Handshake Failure When Accessing API Gateway Endpoint

Question

**issue Summary:**
I am experiencing a TLS handshake failure when attempting to access my API Gateway endpoint. 
The error occurs during the TLS handshake phase, specifically returning a "LibreSSL SSL_connect: SSL_ERROR_SYSCALL" error message. 
This issue is preventing clients from successfully connecting to the API.

i cant find out what couse to this. the api endpoint (lambda) could work for 100 times - but than suddenly stop working for few minutes.

its happen localy and also in production (work most of the time but suddenly stop working - then after few seconds work again)

**Services Used:**

**1** REST API + aws ssl cert

**2** AWS Lambda

**3** Amazon RDS (though the issue seems to occur before reaching the Lambda function or the database)

**4** rds and lambda are in vpc

**Error Encountered:**
When using curl to make a request to my API Gateway endpoint (https://api.exmple.com/call), 
I receive the following output, indicating a failure during the TLS handshake:

*   Trying 55.444.33.444:443...
* Connected to api.exmple.com (55.444.33.444) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.exmple.com:443 
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.exmple.com:443

[ when its work its look like this: ]
* Connected to api.exmple.com (54.155.198.118) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256

in my case its failed right after TLS handshak

**Troubleshooting Steps Taken:**

**1.** Verified that the API Gateway is deployed and accessible via other methods (e.g., web browser, Postman) to rule out API configuration issues.

**2.** Checked the API Gateway custom domain name configuration and ensured that the associated SSL/TLS certificate is valid and up to date.

**3** create new ssl cert and delete api gateway and deploy it again

**4** change minimum TLS version in API Gateway  TLS 1.0 (instead of 1.2)

**5** Attempted to access the API from different environments and using different versions of curl to rule out client-specific issues.

**6** try to downgrade node version in lambda function from 20 to 18

**7**. move my domain from cloudflare - back to route53.

nothing help

thanks in advance!

Please select the type of API Gateway:

Answer

I don't think it's possible to troubleshoot this on this forum - that it is an intermittent issue makes it even harder. If I had to guess it is either a packet loss issue between the client and API Gateway (and that could be a lot of different things depending on the network path); or it is a service-side issue with API Gateway.

Either way the only way to be sure is to raise a support request with the team so that they can help troubleshoot this with you. The support team can look at API Gateway and determine if it is operating correctly when the requests are failing and that can help pinpoint where the issue might be.

Answer

To answer your question, we require further details that are non-public information and may need to follow with the exact results of some of the mitigation steps that you took. For this reason, please open a support case with AWS using the following link:

https://console.aws.amazon.com/support/home#/case/create

TLS Handshake Failure When Accessing API Gateway Endpoint

Relevant content