The insufficient_security alert (TLS alert code 71) is sent when the handshake fails specifically because the cipher suites offered by the client are technically supported but fail to meet the server's minimum security threshold. This is distinct from handshake_failure — it specifically means the server understood the client's offered ciphers but considers them too weak. Common triggers include cipher suites with key exchange parameters below minimum size (e.g., DH parameters less than 1024 bits), deprecated algorithms (RC4, MD5, SHA-1 for signatures), or cipher suites without forward secrecy when the server requires it.
The client's TLS configuration only includes cipher suites that the server considers insufficiently secure. This happens with very old clients that only support DES, RC4, or export-grade ciphers, all of which modern servers reject.
The server is using DHE (Diffie-Hellman Ephemeral) key exchange with DH parameters smaller than 1024 bits. Java clients and some other implementations enforce minimum DH parameter sizes and will reject connections with small parameters.
The server is configured with a very restrictive cipher policy (e.g., only AEAD ciphers with PFS) and the client does not support any of them. Government or financial systems often have strict cipher requirements.
Enumerate the server's supported cipher suites and compare against what the client offers. The intersection must contain at least one acceptable cipher.
nmap --script ssl-enum-ciphers -p 443 yourdomain.com
Attempt a connection specifying only strong, modern cipher suites to verify the server accepts them.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -cipher 'ECDHE+AESGCM:ECDHE+CHACHA20' 2>&1 | head -10
Update the client's cipher suite list to include modern ciphers. For Java applications, update the JDK or configure the javax.net.ssl system properties to use stronger cipher suites.
If the server uses DHE key exchange, verify the DH parameters are at least 2048 bits. Regenerate them if they are too small.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | grep 'Server Temp Key'
The browser and server could not agree on a supported SSL/TLS version or cipher suite.
The TLS handshake could not be completed because the client and server failed to negotiate acceptable security parameters.
The TLS protocol version offered by the client is not supported by the server.