The decode_error alert (TLS alert code 50) is sent when a TLS message cannot be properly decoded. This means the binary structure of a message does not match the expected format: a length field might extend beyond the message boundary, a field might contain a value outside its valid range, or a message might be truncated. Unlike illegal_parameter (which is about semantically invalid values), decode_error is about structural/syntactic problems in the message encoding. This often indicates network corruption, middlebox interference, or a seriously buggy TLS implementation on the other side.
Data was corrupted in transit, causing TLS record boundaries or message structures to become invalid. While TCP checksums catch most corruption, subtle corruption can still occur, especially with faulty network hardware or aggressive NAT/firewall devices.
Network devices that perform deep packet inspection or traffic shaping may inadvertently truncate or modify TLS records, breaking their structure. This is particularly common with older firewalls that do not fully understand TLS 1.3.
The peer's TLS library has a bug that generates messages with incorrect length fields or out-of-bounds values. This is more likely with embedded or custom TLS implementations.
Try the connection from a different network to rule out middlebox interference or network-level corruption. If the error only occurs on one network, a network device is likely the cause.
Use tcpdump or Wireshark to capture the TLS handshake and examine the raw messages for structural issues. Look for truncated records or malformed length fields.
sudo tcpdump -i any -w tls-capture.pcap host yourdomain.com and port 443 -c 50
Test with curl, wget, or openssl s_client to determine if the error is specific to one TLS implementation. If multiple clients fail, the problem is on the server side or the network.
curl -v https://yourdomain.com/ 2>&1 | tail -20
A field in a TLS handshake message contained an out-of-range or inconsistent value.
The TLS handshake could not be completed because the client and server failed to negotiate acceptable security parameters.
The browser could not establish a secure connection because the SSL/TLS protocol negotiation failed.