Via our nginx config, we've been supporting TLSv1 with the following ciphers: AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5 On Thu Jan 15 2015 at 9:00:36 AM Eric R. <erafaloff at gmail.com> wrote: > Thanks Matt. Would you have any guess as to why this is happening so > frequently all of a sudden and disrupting traffic? It seems strange that > it's so intermittent and only some users have the problem repeat for them. > > On Thu Jan 15 2015 at 6:30:56 AM Matt Caswell <matt at openssl.org> wrote: > >> >> >> On 15/01/15 05:03, Eric R. wrote: >> > For the past week I've been noticing many entries like this in our nginx >> > error logs: >> > >> > SSL_do_handshake() failed (SSL: error:1408A0D7:SSL >> > routines:SSL3_GET_CLIENT_HELLO:required cipher missing) while SSL >> > handshaking >> > >> > What does the error "required cipher missing" mean exactly? Some of our >> > users reported that their browser gave them an SSL connection error and >> > then it went away. Others can no longer connect to our site at all. I've >> > had a look at the OpenSSL source code and I think the error is related >> > to checking that the server still supports the last cipher a session >> > used. Is this correct? The only change I can think of that may affect >> > our list of available ciphers was an update to the latest version of >> > OpenSSL that CentOS 5 provided back in November. That was two months ago >> > though, and other than that I can't think of what could be causing this. >> >> It means that an attempt is being made to resume a session, however the >> list of ciphers that the client is sending in the ClientHello does not >> include the cipher that was negotiated in the original session. >> >> Matt >> >> _______________________________________________ >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150115/305ed750/attachment.html>
