No shared cipher

_gg_ nginx-forum at
Wed May 9 06:10:04 UTC 2018

Not sure if it's not more of an openssl/TLS 'issue'/question... 
For some time I've been observing 

SSL_do_handshake() failed (SSL: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher) while SSL handshaking 

in error.log while having 

ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; 
ssl_ciphers ALL:!aNULL; 

in configuration. 

Examining Client Hello packet reveals client supported ciphers: 
Cipher Suites (9 suites) 
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) 
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13) 
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) 
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) 
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) 
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) 
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) 

I'm running
nginx version: nginx/1.12.1 
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) 
built with OpenSSL 1.0.2k-fips 26 Jan 2017 
TLS SNI support enabled 

According to 'openssl ciphers' the third cipher on the list is supported and
yet server responds with: 
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure) 
Content Type: Alert (21) 
Version: TLS 1.2 (0x0303) 
Length: 2 
Alert Message 
Level: Fatal (2) 
Description: Handshake Failure (40) 

Either I've messed up my investigation or I'm completely misunderstanding
something here. 
Why despite having a common cipher with a client server denies to handshake
a connection?

Posted at Nginx Forum:,279727,279727#msg-279727

More information about the nginx mailing list