{"id":5081,"date":"2025-03-13T12:22:24","date_gmt":"2025-03-13T03:22:24","guid":{"rendered":"https:\/\/saraheee.com\/?p=5081"},"modified":"2025-08-26T17:19:02","modified_gmt":"2025-08-26T08:19:02","slug":"repost-why-do-ssl-tls-negotiation-errors-occur-when-connecting-to-an-application-load-balancer-over-https-and-how-can-i-identify-the-responsible-client-ip","status":"publish","type":"post","link":"https:\/\/saraheee.com\/ko\/2025\/03\/repost-why-do-ssl-tls-negotiation-errors-occur-when-connecting-to-an-application-load-balancer-over-https-and-how-can-i-identify-the-responsible-client-ip\/","title":{"rendered":"re:Post &#8211; Why do SSL\/TLS negotiation errors occur when connecting to an Application Load Balancer over HTTPS, and how can I identify the responsible client IP?"},"content":{"rendered":"<p>5 minute read | Content level: Intermediate<\/p>\n\n\n\n<p>AWS re:Post &#8211; <a href=\"https:\/\/repost.aws\/articles\/AR6uOvOqgRSgWLuDRr3FmAnw\/why-do-ssl-tls-negotiation-er[%E2%80%A6]cer-over-https-and-how-can-i-identify-the-responsible-client-ip\" rel=\"noopener\">Why do SSL\/TLS negotiation errors occur when connecting to an Application Load Balancer over HTTPS, and how can I identify the responsible client IP?<\/a><\/p>\n\n\n\n<p>I want to identify the client IP for SSL\/TLS negotiation errors when connecting to an Application Load Balancer (ALB) using HTTPS.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Short description<\/h2>\n\n\n\n<p>A client TLS negotiation error occurs when a client-initiated TLS connection fails to establish a session with the load balancer.<br>This error can occur under the following conditions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The client uses a cipher or protocol that is not supported by the load balancer\u2019s security policy.<\/li>\n\n\n\n<li>The client fails to verify the server certificate<\/li>\n<\/ul>\n\n\n\n<p>When this error occurs, the <strong>ClientTLSNegotiationErrorCount<\/strong> metric on the ALB increases.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Summary<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Check ALB Connection Logs\n<ul class=\"wp-block-list\">\n<li>Error codes in tls_verify_status<\/li>\n\n\n\n<li>Compare TLS Security Policy and supported Protocols\/Ciphers<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Capture client-side Packet data<\/li>\n\n\n\n<li>Compare other logs\n<ul class=\"wp-block-list\">\n<li>Compare VPC Flow logs and ALB Access logs<\/li>\n\n\n\n<li>Compare ALB Connection logs and ALB Access logs<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Resolution<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Check ALB Connection Logs<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">1) Error codes in tls_verify_status<\/h4>\n\n\n\n<p>If ALB connection logging is enabled and the load balancer fails to establish a connection with the client, the failure reason is recorded in the <strong>tls_verify_status<\/strong> field of the logs.<br>The following error codes indicate possible causes of SSL\/TLS negotiation failures:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ClientCertUntrusted<\/strong>: The client certificate is not trusted.<\/li>\n\n\n\n<li><strong>ClientCertNotYetValid<\/strong>: The client certificate is not yet valid.<\/li>\n\n\n\n<li><strong>ClientCertTypeUnsupported<\/strong>: The client certificate type is not supported.<\/li>\n<\/ul>\n\n\n\n<p>Additionally, certain special values in tls_verify_status require further interpretation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>&#8211;<\/strong>: This value appears if the request does not use an HTTPS listener.<\/li>\n\n\n\n<li><strong>Failed:UnmappedConnectionError<\/strong>: This occurs when the runtime connection is not mapped properly. This error is logged when a TLS negotiation failure occurs in a non-mTLS (Mutual TLS) scenario.<\/li>\n<\/ul>\n\n\n\n<p>** Note: Load balancer logs requests on a <strong>best-effort basis<\/strong>. We recommend using ALB logs to understand the nature of the requests, not as a complete accounting of all requests.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">2) Compare TLS Security Policy and supported Protocols\/Ciphers<\/h4>\n\n\n\n<p>Each TLS security policy supports a specific set of protocols and ciphers. If the client&#8217;s request does not conform to these supported configurations, an SSL\/TLS negotiation error may occur.<br>By default, <strong>ELBSecurityPolicy-TLS13-1-2-2021-06<\/strong> is assigned to listeners created via the AWS Management Console.<br>This policy supports the following:<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Supported Protocols: <\/h5>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>TLS 1.3<br>TLS 1.2<\/p>\n<\/blockquote>\n\n\n\n<h5 class=\"wp-block-heading\">Supported Ciphers: <\/h5>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>TLS_AES_128_GCM_SHA256<br>TLS_AES_256_GCM_SHA384<br>TLS_CHACHA20_POLY1305_SHA256<br>ECDHE-ECDSA-AES128-GCM-SHA256<br>ECDHE-RSA-AES128-GCM-SHA256<br>ECDHE-ECDSA-AES128-SHA256<br>ECDHE-RSA-AES128-SHA256<br>ECDHE-ECDSA-AES256-GCM-SHA384<br>ECDHE-RSA-AES256-GCM-SHA384<br>ECDHE-ECDSA-AES256-SHA384<br>ECDHE-RSA-AES256-SHA384<\/p>\n<\/blockquote>\n\n\n\n<p>To diagnose the issue, compare the protocol and cipher used by the client with the protocols and ciphers allowed by the ALB listener&#8217;s security policy.<br>If they do not match, the <strong>ClientTLSNegotiationErrorCount<\/strong> metric will increase.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Capture client-side Packet data<\/h3>\n\n\n\n<p>For precise troubleshooting, capturing client-side packets is the most effective way to determine why TLS negotiation failed and which client IP was affected.<br>Packet capture tools such as <strong>tcpdump<\/strong> or <strong>Wireshark<\/strong> can help identify the exact <strong>cipher<\/strong> and <strong>protocol<\/strong> used in the negotiation process.<br>You can also use <strong>OpenSSL<\/strong> to manually check which ciphers and protocols are supported by the server:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ openssl s_client -connect &lt;ALB-Domain&gt;:443 -tls1_2<\/code><\/pre>\n\n\n\n<p>Replace with your ALB&#8217;s domain name to test TLS 1.2 support.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Compare other logs<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">1) Compare VPC Flow logs and ALB Access logs<\/h4>\n\n\n\n<p>You can enable VPC Flow logs on the ENI(Elastic Network Interface) of your ALB nodes and compare them with ALB Access logs.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If an SSL\/TLS negotiation error occurs, the client&#8217;s IP may appear in the VPC Flow logs but not in the ALB Access logs.<\/li>\n\n\n\n<li>This indicates that the ALB received the request but could not complete the connection, possibly due to an SSL\/TLS negotiation failure.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">2) Compare ALB Connection logs and ALB Access logs<\/h4>\n\n\n\n<p>When a client successfully establishes a connection, the <strong>conn_trace_id<\/strong> field links the Connection logs with the Access logs.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If an SSL\/TLS negotiation error occurs, compare the conn_trace_id in the ALB Connection logs and ALB Access logs.<\/li>\n\n\n\n<li>If a connection log exists but no corresponding entry appears in the ALB Access logs, this indicates that the handshake failed before a valid request was processed.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion &amp; Recommendations<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Verify the client&#8217;s TLS configuration to ensure compatibility with ALB&#8217;s security policy.<\/li>\n\n\n\n<li>Enable ALB Connection logs to capture detailed negotiations failures.<\/li>\n\n\n\n<li>Use OpenSSL or packet capture tools to diagnose client-side issues.<\/li>\n\n\n\n<li>Compare VPC Flow logs with ALB Access logs to check whether the client reached ALB but failed to establish a connection.<\/li>\n<\/ul>\n\n\n\n<p>By following these steps, you can determine the cause of SSL\/TLS negotiation errors and identify affected client IPs effectively.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Related Information<\/h2>\n\n\n\n<p>[1] CloudWatch metrics for your Application Load Balancer &#8211; <a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/application\/load-balancer-cloudwatch-metrics.html#load-balancer-metrics-alb\" rel=\"noopener\">Application Load Balancer metrics<\/a><br>[2] Connection logs for your Application Load Balancer &#8211; <a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/application\/load-balancer-connection-logs.html#connection-error-reason-codes\" rel=\"noopener\">Error reason codes<\/a><br>[3] <a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/application\/describe-ssl-policies.html\" rel=\"noopener\">Security policies for your Application Load Balancer<\/a><br>[4] re:Post &#8211; <a href=\"https:\/\/repost.aws\/knowledge-center\/elb-alb-mtls-client-connection-errors\" rel=\"noopener\">How do I identify and resolve client connection issues when I use mTLS with the Application Load Balancer?<\/a><br>[5] re:Post &#8211; <a href=\"https:\/\/repost.aws\/knowledge-center\/elb-ssl-tls-negotiation-errors\" rel=\"noopener\">How do I troubleshoot client SSL\/TLS negotiation errors when I connect to an Application Load Balancer that uses HTTPS?<\/a><br>[6] re:Post &#8211; <a href=\"https:\/\/repost.aws\/knowledge-center\/elb-fix-ssl-tls-negotiation-error\" rel=\"noopener\">Why do I get a client SSL\/TLS negotiation error when I try to connect to my load balancer?<\/a><\/p>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>I want to identify the client IP for SSL\/TLS negotiation errors when connecting to an Application Load Balancer (ALB) using HTTPS.<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[186],"tags":[209,187,211,208,213,207],"class_list":["post-5081","post","type-post","status-publish","format-standard","hentry","category-aws","tag-alb","tag-aws","tag-client-ip","tag-clienttlsnegotiationerrorcount","tag-mar-12-2025","tag-repost"],"_links":{"self":[{"href":"https:\/\/saraheee.com\/ko\/wp-json\/wp\/v2\/posts\/5081"}],"collection":[{"href":"https:\/\/saraheee.com\/ko\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/saraheee.com\/ko\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/saraheee.com\/ko\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/saraheee.com\/ko\/wp-json\/wp\/v2\/comments?post=5081"}],"version-history":[{"count":4,"href":"https:\/\/saraheee.com\/ko\/wp-json\/wp\/v2\/posts\/5081\/revisions"}],"predecessor-version":[{"id":5634,"href":"https:\/\/saraheee.com\/ko\/wp-json\/wp\/v2\/posts\/5081\/revisions\/5634"}],"wp:attachment":[{"href":"https:\/\/saraheee.com\/ko\/wp-json\/wp\/v2\/media?parent=5081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/saraheee.com\/ko\/wp-json\/wp\/v2\/categories?post=5081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/saraheee.com\/ko\/wp-json\/wp\/v2\/tags?post=5081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}