Why do I get a client SSL/TLS negotiation error when I try to connect to my load balancer?
Last updated: 2020-01-31
I receive a Secure Sockets Layer (SSL)/Transport Layer Security (TLS) negotiation error when I try to connect to my load balancer. Why am I getting this error?
A client TLS negotiation error refers to a TLS connection initiated by the client that was unable to establish a session with the load balancer. TLS negotiation errors occur when clients try to connect to a load balancer using a protocol or cipher that the load balancer's security policy doesn't support. To establish a TLS connection, be sure that your client supports:
- One or more matching ciphers
- A protocol specified in the security policy
Identify your load balancer's security policy
From the AWS Management Console:
1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Select the load balancer, and then choose Listeners.
4. View the security policy.
For Application Load Balancers and Network Load Balancers, find the security policy in the Security policy column.
For Classic Load Balancers, choose Change in the Cipher column to view the security policy.
From the AWS Command Line Interface (AWS CLI):
- For Application Load Balancers and Network Load Balancers, run the describe-listeners command
- For Classic Load Balancers, run the describe-load-balancers command
Determine which protocols and ciphers are supported by your load balancer's security policy
Classic Load Balancers support custom security policies. However, Application Load Balancers and Network Load Balancers don't support custom security policies at this time. For more information about security policies, including the default security policy, see:
- Application Load Balancer Security Policies
- Network Load Balancer Security Policies
- Classic Load Balancer Security Policies
(Optional) Test your load balancer's security policy
To test which protocols and ciphers are supported by your load balancer’s security policy, you can use an open source command line tool such as sslscan.
You can install and run the sslscan command on any Amazon EC2 Linux instance or from your local system. Be sure that the load balancer that you want to test accepts TLS connections from your source IP address. To use sslscan on an Amazon Linux EC2 instance:
1. Enable the Extra Packages for Enterprise Linux (EPEL) repository.
2. Run the sudo yum install sslscan command.
3. Run the following command to scan your load balancer for supported ciphers. Be sure to replace example.com with your domain name.
[ec2-user@ ~]$ sslscan --show-ciphers example.com
Update your load balancer's security policy, if necessary
If you need to update your load balancer's security policy to use supported protocols or ciphers and achieve the desired level of security, you can: