Negotiated cipher per proto (matching cipher in list missing). No further cipher order check has been done as order is determined by the client

Michael Wojcik Michael.Wojcik at
Wed Mar 11 17:20:42 UTC 2020

(Please send messages to the list, not to me directly.)

In TLS, the client and server negotiate the cipher suite to use. The server makes the final decision. It can pick the client's most-preferred suite from among the ones they share, or it can pick the one it prefers. The current consensus seems to be that the best practice is to pick the suite the server most prefers. You can consult other references such as Ivan Ristic's /Bulletproof SSL and TLS/ book if you want more details.

Having the server pick the suite it prefers is known as enforcing the server's cipher-suite order.

The test you ran is complaining that the server does not enforce its cipher-suite order.

I explained how to do that in OpenSSL. How to do it in nginx is a question for the nginx project, not an OpenSSL problem.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list