networking network_error ai_generated partial

SSL: error:0A000126:SSL routines::unexpected eof while reading

ID: networking/ssl-unexpected-eof-while-reading

Also available as: JSON · Markdown · 中文
82%Fix Rate
86%Confidence
1Evidence
2024-05-18First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
OpenSSL 3.0.12 active
GnuTLS 3.7.9 active
Nginx 1.24.0 active

Root Cause

The remote server closed the TCP connection without completing the TLS handshake or data exchange, often due to a server crash, load balancer timeout, or a protocol mismatch (e.g., HTTP/2 server receiving HTTP/1.1 ClientHello).

generic

中文

远程服务器在未完成TLS握手或数据交换的情况下关闭了TCP连接,通常由服务器崩溃、负载均衡器超时或协议不匹配(如HTTP/2服务器收到HTTP/1.1 ClientHello)导致。

Official Documentation

https://www.openssl.org/docs/man3.0/man3/SSL_get_error.html

Workarounds

  1. 85% success Retry the request with `curl -v --tlsv1.2 https://example.com` to force a specific TLS version, or use `openssl s_client -connect example.com:443 -debug` to inspect the exact point of failure. 
    Retry the request with `curl -v --tlsv1.2 https://example.com` to force a specific TLS version, or use `openssl s_client -connect example.com:443 -debug` to inspect the exact point of failure.
  2. 80% success Check the server logs for TLS errors (e.g., Nginx error.log for 'SSL_shutdown() failed') and ensure the server is not behind a load balancer that prematurely closes idle connections. 
    Check the server logs for TLS errors (e.g., Nginx error.log for 'SSL_shutdown() failed') and ensure the server is not behind a load balancer that prematurely closes idle connections.
  3. 75% success Add a retry mechanism with exponential backoff in the client code: `for i in 1 2 3; do curl -s https://example.com && break; sleep $((i * 2)); done` 
    Add a retry mechanism with exponential backoff in the client code: `for i in 1 2 3; do curl -s https://example.com && break; sleep $((i * 2)); done`

中文步骤

  1. Retry the request with `curl -v --tlsv1.2 https://example.com` to force a specific TLS version, or use `openssl s_client -connect example.com:443 -debug` to inspect the exact point of failure.
  2. Check the server logs for TLS errors (e.g., Nginx error.log for 'SSL_shutdown() failed') and ensure the server is not behind a load balancer that prematurely closes idle connections.
  3. Add a retry mechanism with exponential backoff in the client code: `for i in 1 2 3; do curl -s https://example.com && break; sleep $((i * 2)); done`

Dead Ends

Common approaches that don't work:

  1. 85% fail

    This bypasses certificate validation but does not fix the underlying connection issue; the server is still closing the connection prematurely.

  2. 70% fail

    The client library is rarely corrupt; the problem is server-side or network-layer (e.g., a proxy terminating the connection).

  3. 60% fail

    If the server does not support TLS 1.3 or the protocol mismatch is due to ALPN, this will not help and may make things worse.