Why do I get a client SSL/TLS negotiation error when I try to connect to my load balancer?

Last updated: 2020-01-31

I receive a Secure Sockets Layer (SSL)/Transport Layer Security (TLS) negotiation error when I try to connect to my load balancer. Why am I getting this error?

Short Description

A client TLS negotiation error refers to a TLS connection initiated by the client that was unable to establish a session with the load balancer. TLS negotiation errors occur when clients try to connect to a load balancer using a protocol or cipher that the load balancer's security policy doesn't support. To establish a TLS connection, be sure that your client supports:

  • One or more matching ciphers
  • A protocol specified in the security policy

Resolution

Identify your load balancer's security policy

From the AWS Management Console:

1.    Open the Amazon Elastic Compute Cloud (Amazon EC2) console.

2.    On the navigation pane, under LOAD BALANCING, choose Load Balancers.

3.    Select the load balancer, and then choose Listeners.

4.    View the security policy.
       For Application Load Balancers and Network Load Balancers, find the security policy in the Security policy column.
       For Classic Load Balancers, choose Change in the Cipher column to view the security policy.

From the AWS Command Line Interface (AWS CLI):

Determine which protocols and ciphers are supported by your load balancer's security policy

Classic Load Balancers support custom security policies. However, Application Load Balancers and Network Load Balancers don't support custom security policies at this time. For more information about security policies, including the default security policy, see:

(Optional) Test your load balancer's security policy

To test which protocols and ciphers are supported by your load balancer’s security policy, you can use an open source command line tool such as sslscan.

You can install and run the sslscan command on any Amazon EC2 Linux instance or from your local system. Be sure that the load balancer that you want to test accepts TLS connections from your source IP address. To use sslscan on an Amazon Linux EC2 instance:

1.    Enable the Extra Packages for Enterprise Linux (EPEL) repository.

2.    Run the sudo yum install sslscan command.

3.    Run the following command to scan your load balancer for supported ciphers. Be sure to replace example.com with your domain name.

[ec2-user@ ~]$ sslscan --show-ciphers example.com

Update your load balancer's security policy, if necessary

If you need to update your load balancer's security policy to use supported protocols or ciphers and achieve the desired level of security, you can:


Did this article help you?

Anything we could improve?


Need more help?