If I set the SSL certificates with the device already connected in normal mode, it is fine. 

However, if I set the SSL certificates with no device connected, and then add the device, the first SSL handshake always fails. 


It is as designed. The first SSL handshake should fail when the server is on for it before connection. 

Here's the process of SSL communication when you turn it on from the server first and then connect the device.

1. The server(BioStar 2) tries communication with SSL encryption.

2. The device answers with default key, not SSL encrypted. Thus, handshake fails.

3. The server now tries with default key as a second try, since SSL handshake failed.

4. The server decrypted with default key and then sends SSL key using default key.

Finally, they can communicate with SSL key, not default key. 

On the other hand, the first handshake should succeed when the device is connected with default key already. 

Because the server will send the SSL key right away with default key on the first try.