SSL:错误:0A000126:SSL例程:读取时遇到意外的EOF
SSL: error:0A000126:SSL routines::unexpected eof while reading
ID: networking/ssl-unexpected-eof-while-reading
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| OpenSSL 3.0.12 | active | — | — | — |
| GnuTLS 3.7.9 | active | — | — | — |
| Nginx 1.24.0 | active | — | — | — |
根因分析
远程服务器在未完成TLS握手或数据交换的情况下关闭了TCP连接,通常由服务器崩溃、负载均衡器超时或协议不匹配(如HTTP/2服务器收到HTTP/1.1 ClientHello)导致。
English
The remote server closed the TCP connection without completing the TLS handshake or data exchange, often due to a server crash, load balancer timeout, or a protocol mismatch (e.g., HTTP/2 server receiving HTTP/1.1 ClientHello).
官方文档
https://www.openssl.org/docs/man3.0/man3/SSL_get_error.html解决方案
-
Retry the request with `curl -v --tlsv1.2 https://example.com` to force a specific TLS version, or use `openssl s_client -connect example.com:443 -debug` to inspect the exact point of failure.
-
Check the server logs for TLS errors (e.g., Nginx error.log for 'SSL_shutdown() failed') and ensure the server is not behind a load balancer that prematurely closes idle connections.
-
Add a retry mechanism with exponential backoff in the client code: `for i in 1 2 3; do curl -s https://example.com && break; sleep $((i * 2)); done`
无效尝试
常见但无效的做法:
-
85% 失败
This bypasses certificate validation but does not fix the underlying connection issue; the server is still closing the connection prematurely.
-
70% 失败
The client library is rarely corrupt; the problem is server-side or network-layer (e.g., a proxy terminating the connection).
-
60% 失败
If the server does not support TLS 1.3 or the protocol mismatch is due to ALPN, this will not help and may make things worse.