4

For the past few days we saw a spike in Client TLS Negotiation Errors and curious what could be driving it. For context this is a classic ELB and we have a high volume application doing about 250,000 requests/second at peak and following the circadian rhythm.

Screenshot of AWS monitoring

Dan Goldin
  • 957
  • 13
  • 32
  • which protocols and ciphers are supported by your load balancer's security policy? Can you enable access logs for ELB to see what is there in request causing issue, like ciphers and protocol being used by requesters - https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html – Mahesh_Loya Oct 23 '20 at 03:25
  • We're using ELBSecurityPolicy-2015-05 and have the algorithm set to SHA256WITHRSA. I'll look at the access logs. – Dan Goldin Oct 23 '20 at 03:34
  • Did you ever get to the bottom of this? – Luke Sep 05 '21 at 13:11
  • 1
    @Luke - No we were never able to get it figured out but it ended up resolving itself. – Dan Goldin Sep 07 '21 at 01:08
  • I've been reading up on it and watching a few videos and this is down to the client to ensure that they support the correct cipher suites (eg TLS 2.1) that are configured on your load balancer. The alternative is to support the cipher suites on the load balancer config to accommodate the client. – Luke Sep 07 '21 at 17:30
  • Yea - I suspected it was just some older clients making requests that caused some problems. We ended up rebuilding the ELBs with a modern certificate set and the problem resolved. – Dan Goldin Sep 09 '21 at 02:04

0 Answers0