diff --git a/src/ngx_http_lua_ssl_client_helloby.c b/src/ngx_http_lua_ssl_client_helloby.c
index 26c84345d9..b92fc46b5d 100644
--- a/src/ngx_http_lua_ssl_client_helloby.c
+++ b/src/ngx_http_lua_ssl_client_helloby.c
@@ -707,6 +707,55 @@ ngx_http_lua_ffi_ssl_get_client_hello_ext_present(ngx_http_request_t *r,
 }
 
 
+int ngx_http_lua_ffi_ssl_get_client_hello_ciphers(ngx_http_request_t *r,
+    unsigned short *ciphers,  size_t ciphers_size, char **err)
+{
+    int                      i;
+    size_t                   ciphers_cnt;
+    size_t                   ciphersuites_bytes;
+    ngx_ssl_conn_t          *ssl_conn;
+    const unsigned char     *ciphers_raw;
+
+    if (r->connection == NULL || r->connection->ssl == NULL) {
+        *err = "bad request";
+        return NGX_ERROR;
+    }
+
+    ssl_conn = r->connection->ssl->connection;
+    if (ssl_conn == NULL) {
+        *err = "bad ssl conn";
+        return NGX_ERROR;
+    }
+
+
+#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
+    ciphersuites_bytes = SSL_client_hello_get0_ciphers(ssl_conn, &ciphers_raw);
+
+    if (ciphersuites_bytes == 0) {
+        *err = "failed SSL_client_hello_get0_ciphers()";
+        return NGX_DECLINED;
+    }
+
+    if (ciphersuites_bytes % 2 != 0) {
+        *err = "SSL_client_hello_get0_ciphers() odd ciphersuites_bytes";
+        return NGX_DECLINED;
+    }
+
+    ciphers_cnt = ciphersuites_bytes / 2;
+    ciphers_cnt = ciphers_cnt > ciphers_size ? ciphers_size : ciphers_cnt;
+
+    for (i = 0 ; i < (int) ciphers_cnt ; i++) {
+        ciphers[i] = (ciphers_raw[i * 2] << 8) | ciphers_raw[i * 2 + 1];
+    }
+
+    return ciphers_cnt;
+#else
+    *err = "OpenSSL too old to support this function";
+    return NGX_ERROR;
+#endif
+}
+
+
 int
 ngx_http_lua_ffi_ssl_set_protocols(ngx_http_request_t *r,
     int protocols, char **err)