Why Does curl Get Reset on HTTPS with Nginx? A Deep Dive into SSL Session Cache

Problem Description

After deploying an HTTPS certificate, browsers can access the site, but a curl request to the same URL is reset by the server.

Initial Checks

curl to the same host over HTTP works, confirming port 80 connectivity.

curl to other HTTPS virtual hosts on the same server works, confirming port 443 connectivity.

Certificate is valid and not expired (checked via myssl.com).

Attempted Fixes

Adjusted cipher suites to a more compatible list, but the reset persisted.

"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"

Increased client‑side buffers:

client_header_buffer_size 64k;
large_client_header_buffers 4 64k;
client_body_buffer_size 20m;
keepalive_timeout 120;

These changes did not stop the reset.

Certificate Change

Switched from an RSA certificate to an ECC certificate. Curl then reported:

curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

Investigation revealed that on RedHat/CentOS the default curl uses NSS, which disables ECC by default. Specifying a compatible cipher suite with --ciphers ecdhe_rsa_aes_128_gcm_sha_256 still produced the same reset, indicating the issue was not the certificate.

Discovery: ssl_session_cache

Comparing the working configuration of other sites showed the missing ssl_session_cache directive. Adding it resolved the reset problem.

Explanation of the four possible values for ssl_session_cache:

off – disables session caching.

none – tells the client a cache may be used but does not store sessions.

builtin – uses an in‑process OpenSSL cache; size defaults to 20480 sessions.

shared – creates a shared memory zone (e.g., shared:SSL:10m) that can be used by all workers; recommended for performance.

Additional Reference

Common nginx error messages related to upstream and SSL issues are listed for quick diagnosis (e.g., “upstream prematurely closed connection”, “recv() failed (104: Connection reset by peer)”, “SSL_do_handshake() failed”, etc.).