Closed jstewmon closed 3 years ago
cc @ggreenway
Before I realized support had been dropped, I tried configuring the upstream TLS context to support ECDHE-ECDSA-AES128-SHA
. Envoy seems to silently ignore this configuration and falls back to the default. I'd expect a warning if some cipher suites aren't supported and an error if none of them are supported.
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_params: {"cipher_suites":["ECDHE-ECDSA-AES128-SHA"]}
Before I realized support had been dropped, I tried configuring the upstream TLS context to support
ECDHE-ECDSA-AES128-SHA
. Envoy seems to silently ignore this configuration and falls back to the default.
That's very surprising to me. Can you check if there was anything in the logs about this when you ran with that configuration?
This is the info log including one request:
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:330] initializing epoch 0 (base id=0, hot restart version=11.104)
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:332] statically linked extensions:
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.dubbo_proxy.route_matchers: default
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.http.cache: envoy.extensions.http.cache.simple
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.wasm.runtime: envoy.wasm.runtime.null, envoy.wasm.runtime.v8
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.resolvers: envoy.ip
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.matching.common_inputs: envoy.matching.common_inputs.environment_variable
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.transport_sockets.downstream: envoy.transport_sockets.alts, envoy.transport_sockets.quic, envoy.transport_sockets.raw_buffer, envoy.transport_sockets.starttls, envoy.transport_sockets.tap, envoy.transport_sockets.tls, raw_buffer, starttls, tls
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.tracers: envoy.dynamic.ot, envoy.lightstep, envoy.tracers.datadog, envoy.tracers.dynamic_ot, envoy.tracers.lightstep, envoy.tracers.opencensus, envoy.tracers.skywalking, envoy.tracers.xray, envoy.tracers.zipkin, envoy.zipkin
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.bootstrap: envoy.bootstrap.wasm, envoy.extensions.network.socket_interface.default_socket_interface
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.upstreams: envoy.filters.connection_pools.tcp.generic
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.internal_redirect_predicates: envoy.internal_redirect_predicates.allow_listed_routes, envoy.internal_redirect_predicates.previous_routes, envoy.internal_redirect_predicates.safe_cross_scheme
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.http.stateful_header_formatters: preserve_case
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.compression.decompressor: envoy.compression.brotli.decompressor, envoy.compression.gzip.decompressor
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.clusters: envoy.cluster.eds, envoy.cluster.logical_dns, envoy.cluster.original_dst, envoy.cluster.static, envoy.cluster.strict_dns, envoy.clusters.aggregate, envoy.clusters.dynamic_forward_proxy, envoy.clusters.redis
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.grpc_credentials: envoy.grpc_credentials.aws_iam, envoy.grpc_credentials.default, envoy.grpc_credentials.file_based_metadata
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.filters.http: envoy.buffer, envoy.cors, envoy.csrf, envoy.ext_authz, envoy.ext_proc, envoy.fault, envoy.filters.http.adaptive_concurrency, envoy.filters.http.admission_control, envoy.filters.http.aws_lambda, envoy.filters.http.aws_request_signing, envoy.filters.http.buffer, envoy.filters.http.cache, envoy.filters.http.cdn_loop, envoy.filters.http.composite, envoy.filters.http.compressor, envoy.filters.http.cors, envoy.filters.http.csrf, envoy.filters.http.decompressor, envoy.filters.http.dynamic_forward_proxy, envoy.filters.http.dynamo, envoy.filters.http.ext_authz, envoy.filters.http.ext_proc, envoy.filters.http.fault, envoy.filters.http.grpc_http1_bridge, envoy.filters.http.grpc_http1_reverse_bridge, envoy.filters.http.grpc_json_transcoder, envoy.filters.http.grpc_stats, envoy.filters.http.grpc_web, envoy.filters.http.gzip, envoy.filters.http.header_to_metadata, envoy.filters.http.health_check, envoy.filters.http.ip_tagging, envoy.filters.http.jwt_authn, envoy.filters.http.local_ratelimit, envoy.filters.http.lua, envoy.filters.http.oauth2, envoy.filters.http.on_demand, envoy.filters.http.original_src, envoy.filters.http.ratelimit, envoy.filters.http.rbac, envoy.filters.http.router, envoy.filters.http.squash, envoy.filters.http.tap, envoy.filters.http.wasm, envoy.grpc_http1_bridge, envoy.grpc_json_transcoder, envoy.grpc_web, envoy.gzip, envoy.health_check, envoy.http_dynamo_filter, envoy.ip_tagging, envoy.local_rate_limit, envoy.lua, envoy.rate_limit, envoy.router, envoy.squash, match-wrapper
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.dubbo_proxy.filters: envoy.filters.dubbo.router
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.dubbo_proxy.protocols: dubbo
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.health_checkers: envoy.health_checkers.redis
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.thrift_proxy.filters: envoy.filters.thrift.rate_limit, envoy.filters.thrift.router
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.thrift_proxy.transports: auto, framed, header, unframed
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.guarddog_actions: envoy.watchdog.abort_action, envoy.watchdog.profile_action
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.access_loggers: envoy.access_loggers.file, envoy.access_loggers.http_grpc, envoy.access_loggers.open_telemetry, envoy.access_loggers.stderr, envoy.access_loggers.stdout, envoy.access_loggers.tcp_grpc, envoy.access_loggers.wasm, envoy.file_access_log, envoy.http_grpc_access_log, envoy.open_telemetry_access_log, envoy.stderr_access_log, envoy.stdout_access_log, envoy.tcp_grpc_access_log, envoy.wasm_access_log
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.retry_host_predicates: envoy.retry_host_predicates.omit_canary_hosts, envoy.retry_host_predicates.omit_host_metadata, envoy.retry_host_predicates.previous_hosts
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.tls.cert_validator: envoy.tls.cert_validator.default, envoy.tls.cert_validator.spiffe
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.thrift_proxy.protocols: auto, binary, binary/non-strict, compact, twitter
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.upstream_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions, envoy.upstreams.http.http_protocol_options
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.matching.http.input: request-headers, request-trailers, response-headers, response-trailers
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.matching.action: composite-action, skip
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.filters.listener: envoy.filters.listener.http_inspector, envoy.filters.listener.original_dst, envoy.filters.listener.original_src, envoy.filters.listener.proxy_protocol, envoy.filters.listener.tls_inspector, envoy.listener.http_inspector, envoy.listener.original_dst, envoy.listener.original_src, envoy.listener.proxy_protocol, envoy.listener.tls_inspector
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.rate_limit_descriptors: envoy.rate_limit_descriptors.expr
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.transport_sockets.upstream: envoy.transport_sockets.alts, envoy.transport_sockets.quic, envoy.transport_sockets.raw_buffer, envoy.transport_sockets.tap, envoy.transport_sockets.tls, envoy.transport_sockets.upstream_proxy_protocol, raw_buffer, tls
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.matching.input_matchers: envoy.matching.matchers.consistent_hashing
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.resource_monitors: envoy.resource_monitors.fixed_heap, envoy.resource_monitors.injected_resource
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.filters.network: envoy.client_ssl_auth, envoy.echo, envoy.ext_authz, envoy.filters.network.client_ssl_auth, envoy.filters.network.direct_response, envoy.filters.network.dubbo_proxy, envoy.filters.network.echo, envoy.filters.network.ext_authz, envoy.filters.network.http_connection_manager, envoy.filters.network.kafka_broker, envoy.filters.network.local_ratelimit, envoy.filters.network.mongo_proxy, envoy.filters.network.mysql_proxy, envoy.filters.network.postgres_proxy, envoy.filters.network.ratelimit, envoy.filters.network.rbac, envoy.filters.network.redis_proxy, envoy.filters.network.rocketmq_proxy, envoy.filters.network.sni_cluster, envoy.filters.network.sni_dynamic_forward_proxy, envoy.filters.network.tcp_proxy, envoy.filters.network.thrift_proxy, envoy.filters.network.wasm, envoy.filters.network.zookeeper_proxy, envoy.http_connection_manager, envoy.mongo_proxy, envoy.ratelimit, envoy.redis_proxy, envoy.tcp_proxy
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.retry_priorities: envoy.retry_priorities.previous_priorities
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.compression.compressor: envoy.compression.brotli.compressor, envoy.compression.gzip.compressor
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.stats_sinks: envoy.dog_statsd, envoy.metrics_service, envoy.stat_sinks.dog_statsd, envoy.stat_sinks.hystrix, envoy.stat_sinks.metrics_service, envoy.stat_sinks.statsd, envoy.stat_sinks.wasm, envoy.statsd
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.dubbo_proxy.serializers: dubbo.hessian2
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.filters.udp_listener: envoy.filters.udp.dns_filter, envoy.filters.udp_listener.udp_proxy
[2021-06-21 17:59:00.947][17][info][main] [source/server/server.cc:334] envoy.request_id: envoy.request_id.uuid
[2021-06-21 17:59:00.974][17][warning][misc] [source/common/protobuf/message_validator_impl.cc:21] Deprecated field: type envoy.config.bootstrap.v3.Admin Using deprecated option 'envoy.config.bootstrap.v3.Admin.access_log_path' from file bootstrap.proto. This configuration will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history for details. If continued use of this field is absolutely necessary, see https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#using-runtime-overrides-for-deprecated-features for how to apply a temporary and highly discouraged override.
[2021-06-21 17:59:00.974][17][info][main] [source/server/server.cc:350] HTTP header map info:
[2021-06-21 17:59:00.975][17][info][main] [source/server/server.cc:353] request header map: 632 bytes: :authority,:method,:path,:protocol,:scheme,accept,accept-encoding,access-control-request-method,authentication,authorization,cache-control,cdn-loop,connection,content-encoding,content-length,content-type,expect,grpc-accept-encoding,grpc-timeout,if-match,if-modified-since,if-none-match,if-range,if-unmodified-since,keep-alive,origin,pragma,proxy-connection,referer,te,transfer-encoding,upgrade,user-agent,via,x-client-trace-id,x-envoy-attempt-count,x-envoy-decorator-operation,x-envoy-downstream-service-cluster,x-envoy-downstream-service-node,x-envoy-expected-rq-timeout-ms,x-envoy-external-address,x-envoy-force-trace,x-envoy-hedge-on-per-try-timeout,x-envoy-internal,x-envoy-ip-tags,x-envoy-max-retries,x-envoy-original-path,x-envoy-original-url,x-envoy-retriable-header-names,x-envoy-retriable-status-codes,x-envoy-retry-grpc-on,x-envoy-retry-on,x-envoy-upstream-alt-stat-name,x-envoy-upstream-rq-per-try-timeout-ms,x-envoy-upstream-rq-timeout-alt-response,x-envoy-upstream-rq-timeout-ms,x-forwarded-client-cert,x-forwarded-for,x-forwarded-proto,x-ot-span-context,x-request-id
[2021-06-21 17:59:00.975][17][info][main] [source/server/server.cc:353] request trailer map: 144 bytes:
[2021-06-21 17:59:00.975][17][info][main] [source/server/server.cc:353] response header map: 440 bytes: :status,access-control-allow-credentials,access-control-allow-headers,access-control-allow-methods,access-control-allow-origin,access-control-expose-headers,access-control-max-age,age,cache-control,connection,content-encoding,content-length,content-type,date,etag,expires,grpc-message,grpc-status,keep-alive,last-modified,location,proxy-connection,server,transfer-encoding,upgrade,vary,via,x-envoy-attempt-count,x-envoy-decorator-operation,x-envoy-degraded,x-envoy-immediate-health-check-fail,x-envoy-ratelimited,x-envoy-upstream-canary,x-envoy-upstream-healthchecked-cluster,x-envoy-upstream-service-time,x-request-id
[2021-06-21 17:59:00.975][17][info][main] [source/server/server.cc:353] response trailer map: 168 bytes: grpc-message,grpc-status
[2021-06-21 17:59:00.976][17][info][main] [source/server/server.cc:500] admin address: 0.0.0.0:9901
[2021-06-21 17:59:00.977][17][info][main] [source/server/server.cc:667] runtime: layers:
- name: base
static_layer:
re2:
max_program_size:
error_level: 300
[2021-06-21 17:59:00.978][17][info][config] [source/server/configuration_impl.cc:128] loading tracing configuration
[2021-06-21 17:59:00.978][17][info][config] [source/server/configuration_impl.cc:88] loading 0 static secret(s)
[2021-06-21 17:59:00.978][17][info][config] [source/server/configuration_impl.cc:94] loading 16 cluster(s)
[2021-06-21 17:59:00.998][17][info][config] [source/server/configuration_impl.cc:98] loading 2 listener(s)
[2021-06-21 17:59:01.006][17][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:188] envoy_on_response() function not found. Lua filter will not hook responses.
[2021-06-21 17:59:01.007][17][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:183] envoy_on_request() function not found. Lua filter will not hook requests.
[2021-06-21 17:59:01.007][17][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:183] envoy_on_request() function not found. Lua filter will not hook requests.
[2021-06-21 17:59:01.008][17][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:188] envoy_on_response() function not found. Lua filter will not hook responses.
[2021-06-21 17:59:01.008][17][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:188] envoy_on_response() function not found. Lua filter will not hook responses.
[2021-06-21 17:59:01.009][17][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:188] envoy_on_response() function not found. Lua filter will not hook responses.
[2021-06-21 17:59:01.015][17][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:188] envoy_on_response() function not found. Lua filter will not hook responses.
[2021-06-21 17:59:01.016][17][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:183] envoy_on_request() function not found. Lua filter will not hook requests.
[2021-06-21 17:59:01.016][17][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:183] envoy_on_request() function not found. Lua filter will not hook requests.
[2021-06-21 17:59:01.016][17][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:188] envoy_on_response() function not found. Lua filter will not hook responses.
[2021-06-21 17:59:01.017][17][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:188] envoy_on_response() function not found. Lua filter will not hook responses.
[2021-06-21 17:59:01.017][17][info][lua] [source/extensions/filters/http/lua/lua_filter.cc:188] envoy_on_response() function not found. Lua filter will not hook responses.
[2021-06-21 17:59:01.020][17][info][config] [source/server/configuration_impl.cc:110] loading stats configuration
[2021-06-21 17:59:01.020][17][info][main] [source/server/server.cc:764] starting main dispatch loop
[2021-06-21 17:59:01.112][17][info][runtime] [source/common/runtime/runtime_impl.cc:428] RTDS has finished initialization
[2021-06-21 17:59:01.112][17][info][upstream] [source/common/upstream/cluster_manager_impl.cc:192] cm init: all clusters initialized
[2021-06-21 17:59:01.112][17][info][main] [source/server/server.cc:745] all clusters initialized. initializing init manager
[2021-06-21 17:59:01.112][17][info][config] [source/server/listener_manager_impl.cc:888] all dependencies initialized. starting workers
[2021-06-21 17:59:01.114][17][warning][main] [source/server/server.cc:642] there is no configured limit to the number of allowed active connections. Set a limit via the runtime key overload.global_downstream_max_connections
{"resStatusCodeDetails":"upstream_reset_before_response_started{connection_failure}","resBytes":91,"reqHeaderXClientTraceId":null,"upstreamHost":"172.26.83.124:30143","reqPath":"/","userJwtSub":null,"routeName":"webApi.default","resHeaderContentType":"text/plain","resStatusCode":503,"reqHeaderXForwardedFor":"172.25.0.1","reqAuthority":"<hostname>","timingDuration":39,"reqId":"19b9784c-956e-45f9-a980-3e10dd854526","timingUpstream":null,"downstreamRemoteAddress":"172.25.0.1","reqMethod":"GET","reqIpTags":null,"reqBytes":0,"time":"1624298353737","resFlags":"UF","resHeaderXEnvoyOverloaded":null,"reqHeaderXClntReqUuid":null,"reqProtocol":"HTTP/1.1","resHeaderXEnvoyRatelimited":null,"reqHeaderUserAgent":"curl/7.64.1","upstreamTransportFailureReason":null,"userJwtJti":null,"upstreamCluster":"<clusterName>"}
This is the cluster configuration:
- name: <clusterName>
type: STRICT_DNS
connect_timeout: 0.5s
dns_lookup_family: V4_ONLY
ignore_health_on_host_removal: true
respect_dns_ttl: true
lb_policy: RANDOM
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_params: {"cipher_suites":["ECDHE-ECDSA-AES128-SHA"]}
validation_context:
trusted_ca:
filename: /etc/ssl/certs/ca-certificates.crt
sni: <hostname>
load_assignment:
cluster_name: <clusterName>
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: <hostname>
port_value: 30143
I'm running envoy in docker with the envoy-alpine:v1.18.3
image.
Huh, not sure why it's not working as expected. I would have expected to hit this error: https://github.com/envoyproxy/envoy/blob/1aa65ac88e9888127fe795e3ecb4c1bbc36534bf/source/extensions/transport_sockets/tls/context_impl.cc#L134
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
Before I realized support had been dropped, I tried configuring the upstream TLS context to support
ECDHE-ECDSA-AES128-SHA
. Envoy seems to silently ignore this configuration and falls back to the default. I'd expect a warning if some cipher suites aren't supported and an error if none of them are supported.transport_socket: name: envoy.transport_sockets.tls typed_config: '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext common_tls_context: tls_params: {"cipher_suites":["ECDHE-ECDSA-AES128-SHA"]}
ECDHE-ECDSA-AES128-SHA in the supported list if you are using boringssl. I think the same result in openssl.
But if tls 1.3 is negotiated, this suite is ignored. https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto
(repeated string) If specified, the TLS listener will only support the specified cipher list when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).
Huh, not sure why it's not working as expected. I would have expected to hit this error:
The portability is decided by the underlying library. either build or link time, you might see NACK LDS or SDS if that suite is not supported along with this exception. However, if you build with boringssl, that cipher suite is supported.
This log won't be seen upon ssl handshake as per the above NACK
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.
Title: UPSTREAM_TRANSPORT_FAILURE_REASON not populated when tls handshake fails with unsupported cipher suites
Description:
We deployed an updated envoy image yesterday, including a version change from 1.16 to 1.18. Following the deployment, envoy started issuing local 503 replies with RESPONSE_CODE_DETAILS of
upstream_reset_before_response_started{connection_failure}
.I added
upstreamTransportFailureReason: '%UPSTREAM_TRANSPORT_FAILURE_REASON%'
to the access logs (json format), but the value wasnull
(formatted for readability):I set the envoy log-level to trace which produced the following clues:
I noticed that there is a debug message in the log which also appears to be missing a value
upstream reset: reset reason: connection failure, transport failure reason:
It turns out that the problem was that envoy 1.17 included the removal of weak cipher suites in these issues (ref: https://github.com/envoyproxy/envoy/issues/5401) and the upstream had an old list of allowed ciphers, which were all weak 🤦
I figured this out by searching for "tls" in the version history of the major version releases, finding the relevant PRs, etc.
I would have expected some stat, debug log or the UPSTREAM_TRANSPORT_FAILURE_REASON to indicate something like "TLS handshake failure: no supported ciphers".
Repro steps: A TLS upstream with no supported ciphers. In my case the upstream had the following cipher suites enabled:
Admin and Stats Output:
These are all the stats after making 3 requests which route to the upstream with unsupported ciphers:
Logs: See description above.