TLS configuration is notoriously difficult for our customers to debug/diagnose. The cipher suite selection log is too simple to debug at present. For every refused cipher suite, we can log the reason. There are many "return false" in the cipher suite selection code. We can add a log about the reason to return false.
The debug logging may be more verbose, but it is a worthy effort as the TLS/DTLS is getting more complicated and harder to debug.