When using the option:
It's possible to get suites that aren't supported by the underlying crypto lib.
According to the docs: https://erlang.org/doc/man/ssl.html#type-cipher_suites this appears to be the way to increase compatibility with older servers, but it can lead to failed connections if a suite is negotiated that isn't actually supported.
When the ciphers option is left blank, the default behaviour is to filter suites:
And when the deprecated /1 arity method is used, that's also filtered:
It would make sense IMO to either use available_suites instead of supported_suites in ssl:cipher_suites/2,3 or to document the ssl_cipher:filter_suites should be used manually when asking for all tlsv1.2 ciphers.