When using a custom endpoint for hosting an Alexa skill, every time the skill is activated, Amazon (acting as a client) starts a TLS connection and offers a set of possible TLS v1.2 ciphers to the endpoint:
Notice, however, that all these ciphers are CBC.
So... if possible, it would be nice to update the Alexa client to also include all GCM variants of the ciphers.
PS: I found this problem when trying to deploy my own endpoint using a default nginx reverse proxy configuration. So this is actually something that can happen, and not some crazy scenario (also, it was a pain in the ass to debug :P )