If only I could see some sort of debug messaging to understand why this is sometimes and not all the time.
Very likely because you are using the round-robin server address. This means that you are cycling through different servers on the EFnet network, some of which are using out-of-date ciphers and protocols.
Why doesn't mIRC at least tell me the SSL cipher the server is demanding I use, or is capable of using, or that I attempted to use but failed.
The server chooses from the cipher list that the client presents. If the server can't find anything it likes, it returns an error. The only way to know what the server supports is for the client to build a list of ciphers it supports internally and to connect to the server using each one individually to see which are accepted or rejected.
mIRC's set of allowable ciphers and protocols is set at such a low level, to allow connections to old IRC servers that have not been updated in years, that if the server you are trying to connect to is not accepting them, you may as well not be using SSL.
That is the reason why mIRC's server list does not include SSL servers for EFNet.
mIRC should really be using a stricter default cipher list. As I mentioned here
, the cipher list was last updated in 2014.
It is on my to-do list to review the default cipher list, as well as the servers list, to determine which networks are acceptable for use with SSL.