Cipher suite is different in “client hello” for the same code running on different platforms


I’m facing a “Alert: handshake failure (40)” error when trying to establish a TLS connection. The error only happens when I run the same application on cloud, it works when I run the application on HPG8 server. OS is the same Redhat 7. By checking into the traces, I found that the cipher suite in “client hello” is much less in the error case than the worked case, and the cipher suite that TLS server supported is just missed in the “client hello” of the error case. I want to know what will impact the cipher suite that contains in the “client hello”?

The openssl version is the same (1.1.1d) for both cases, Redhat version has small difference. TLS1.2 is used. The key file and cert file are also the same.

In the code, I’m using SSL_set_cipher_list to set the cipher string as “ALL:!DH:!EXP:!RC4:@STRENGTH”.

SSL_set_cipher_list(ssl, "ALL:!DH:!EXP:!RC4:@STRENGTH"); 

I also checked the source code of openssl, but didn’t find much clue.

Cipher suite in the failure case:

Cipher Suites (25 suites)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)     Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (0xc0af)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CCM (0xc0ad)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (0xc05d)     Cipher Suite: TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (0xc061)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)     Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)     Cipher Suite: TLS_RSA_WITH_AES_256_CCM_8 (0xc0a1)     Cipher Suite: TLS_RSA_WITH_AES_256_CCM (0xc09d)     Cipher Suite: TLS_RSA_WITH_ARIA_256_GCM_SHA384 (0xc051)     Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)     Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (0xc0ae)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CCM (0xc0ac)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (0xc05c)     Cipher Suite: TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (0xc060)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)     Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)     Cipher Suite: TLS_RSA_WITH_AES_128_CCM_8 (0xc0a0)     Cipher Suite: TLS_RSA_WITH_AES_128_CCM (0xc09c)     Cipher Suite: TLS_RSA_WITH_ARIA_128_GCM_SHA256 (0xc050)     Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)     Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)     Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) 

Cipher suite for successful case (0xc02f is the suite that server returned in “server hello”):

Cipher Suites (45 suites)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)     Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)     Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (0xc0af)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CCM (0xc0ad)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (0xc05d)     Cipher Suite: TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (0xc061)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)     Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc073)     Cipher Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc077)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)     Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)     Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)     Cipher Suite: TLS_RSA_WITH_AES_256_CCM_8 (0xc0a1)     Cipher Suite: TLS_RSA_WITH_AES_256_CCM (0xc09d)     Cipher Suite: TLS_RSA_WITH_ARIA_256_GCM_SHA384 (0xc051)     Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)     Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c0)     Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)     Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)     Cipher Suite: **TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256** (0xc02f)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (0xc0ae)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CCM (0xc0ac)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (0xc05c)     Cipher Suite: TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (0xc060)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)     Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (0xc072)     Cipher Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0xc076)     Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)     Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)     Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)     Cipher Suite: TLS_RSA_WITH_AES_128_CCM_8 (0xc0a0)     Cipher Suite: TLS_RSA_WITH_AES_128_CCM (0xc09c)     Cipher Suite: TLS_RSA_WITH_ARIA_128_GCM_SHA256 (0xc050)     Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)     Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00ba)     Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)     Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)     Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)     Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)     Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)