The illegal_parameter alert (TLS alert code 47) is sent when a TLS handshake message contains a field with a value that is out of range, inconsistent with other fields, or otherwise invalid according to the TLS specification. This is a protocol-level error that indicates the handshake data itself is malformed, not just that negotiation failed. Common triggers include invalid elliptic curve parameters, malformed key exchange values, inconsistent length fields, or unsupported named groups in the key exchange. This alert often points to bugs in TLS implementations, corrupt network data, or middleboxes modifying TLS messages.
Network devices (firewalls, load balancers, DPI appliances) sometimes modify TLS handshake messages, corrupting parameter values. The receiving side detects the inconsistency and sends illegal_parameter.
A software bug in the server or client's TLS library is generating malformed handshake messages. This is more common with custom or embedded TLS stacks than with well-tested libraries like OpenSSL or BoringSSL.
The client or server sent TLS extensions with invalid or conflicting parameter values. For example, specifying a key share for a named group that was not listed in the supported_groups extension.
Use openssl with debug mode to see the raw handshake messages and identify which specific parameter caused the alert.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -debug -state 2>&1 | head -80
Try the connection from a different network to rule out middlebox interference. If the error only occurs on one network, a network device is likely modifying TLS traffic.
Ensure both client and server are running recent versions of their TLS libraries (OpenSSL, BoringSSL, LibreSSL, etc.). Older versions may generate parameters that newer implementations reject.
openssl version
The TLS handshake could not be completed because the client and server failed to negotiate acceptable security parameters.
A TLS message could not be decoded because a field was out of range or the message length was incorrect.
The browser could not establish a secure connection because the SSL/TLS protocol negotiation failed.