Kevin,
I reproduced this error on renegotiation. Could this be the cause for all those handshake errors:
openssl s_client -connect x.x.x.x:443
CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2008 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA - G3
verify return:1
depth=1 C = US, O = "thawte, Inc.", CN = thawte SHA256 SSL CA
verify return:1
Removed bunch of stuff here
SSL handshake has read 2983 bytes and written 442 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 82F80492D73C79776AC0FCEE3C8520FF237E79DB979BCBFFB62633FD0E15700F
Session-ID-ctx:
Master-Key: D36B850714E6F95E22DA3653F9410D7F10F8DE29A1BD889602DA27D28006D9258895C0777B361BAF6AE506B983CCF9F9
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1448044924
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
R
RENEGOTIATING
2283136:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
2283136:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
What do you think?