[openssl-users] SSL3_GET_CLIENT_HELLO:required cipher missing

Eric R. erafaloff at gmail.com
Thu Jan 15 14:01:45 UTC 2015


Via our nginx config, we've been supporting TLSv1 with the following
ciphers: AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5
On Thu Jan 15 2015 at 9:00:36 AM Eric R. <erafaloff at gmail.com> wrote:

> Thanks Matt. Would you have any guess as to why this is happening so
> frequently all of a sudden and disrupting traffic? It seems strange that
> it's so intermittent and only some users have the problem repeat for them.
>
> On Thu Jan 15 2015 at 6:30:56 AM Matt Caswell <matt at openssl.org> wrote:
>
>>
>>
>> On 15/01/15 05:03, Eric R. wrote:
>> > For the past week I've been noticing many entries like this in our nginx
>> > error logs:
>> >
>> > SSL_do_handshake() failed (SSL: error:1408A0D7:SSL
>> > routines:SSL3_GET_CLIENT_HELLO:required cipher missing) while SSL
>> > handshaking
>> >
>> > What does the error "required cipher missing" mean exactly? Some of our
>> > users reported that their browser gave them an SSL connection error and
>> > then it went away. Others can no longer connect to our site at all. I've
>> > had a look at the OpenSSL source code and I think the error is related
>> > to checking that the server still supports the last cipher a session
>> > used. Is this correct? The only change I can think of that may affect
>> > our list of available ciphers was an update to the latest version of
>> > OpenSSL that CentOS 5 provided back in November. That was two months ago
>> > though, and other than that I can't think of what could be causing this.
>>
>> It means that an attempt is being made to resume a session, however the
>> list of ciphers that the client is sending in the ClientHello does not
>> include the cipher that was negotiated in the original session.
>>
>> Matt
>>
>> _______________________________________________
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150115/305ed750/attachment.html>


More information about the openssl-users mailing list