# SSL: error:0A000126:SSL routines::unexpected eof while reading

- **ID:** `networking/ssl-unexpected-eof-while-reading`
- **Domain:** networking
- **Category:** network_error
- **Verification:** ai_generated
- **Fix Rate:** 82%

## Root Cause

The remote server closed the TCP connection without completing the TLS handshake or data exchange, often due to a server crash, load balancer timeout, or a protocol mismatch (e.g., HTTP/2 server receiving HTTP/1.1 ClientHello).

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| OpenSSL 3.0.12 | active | — | — |
| GnuTLS 3.7.9 | active | — | — |
| Nginx 1.24.0 | active | — | — |

## Workarounds

1. **Retry the request with `curl -v --tlsv1.2 https://example.com` to force a specific TLS version, or use `openssl s_client -connect example.com:443 -debug` to inspect the exact point of failure.** (85% success)
   ```
   Retry the request with `curl -v --tlsv1.2 https://example.com` to force a specific TLS version, or use `openssl s_client -connect example.com:443 -debug` to inspect the exact point of failure.
   ```
2. **Check the server logs for TLS errors (e.g., Nginx error.log for 'SSL_shutdown() failed') and ensure the server is not behind a load balancer that prematurely closes idle connections.** (80% success)
   ```
   Check the server logs for TLS errors (e.g., Nginx error.log for 'SSL_shutdown() failed') and ensure the server is not behind a load balancer that prematurely closes idle connections.
   ```
3. **Add a retry mechanism with exponential backoff in the client code: `for i in 1 2 3; do curl -s https://example.com && break; sleep $((i * 2)); done`** (75% success)
   ```
   Add a retry mechanism with exponential backoff in the client code: `for i in 1 2 3; do curl -s https://example.com && break; sleep $((i * 2)); done`
   ```

## Dead Ends

- **** — This bypasses certificate validation but does not fix the underlying connection issue; the server is still closing the connection prematurely. (85% fail)
- **** — The client library is rarely corrupt; the problem is server-side or network-layer (e.g., a proxy terminating the connection). (70% fail)
- **** — If the server does not support TLS 1.3 or the protocol mismatch is due to ALPN, this will not help and may make things worse. (60% fail)