Why Does curl Reset on HTTPS with Nginx? A Deep Dive into SSL Session Cache Fix

Problem Description

After adding an HTTPS certificate, the website works in browsers but curl requests are reset.

Investigation

HTTP requests to the same domain work, and other HTTPS domains on the server also work, confirming that ports 80 and 443 are reachable. The certificate is valid and not expired.

Different cipher suites were tried without success. A packet capture with tcpdump/Wireshark showed that the reset occurs after the first ACK of data transmission.

Client‑side buffer settings in Nginx were adjusted:

client_header_buffer_size 64k;
large_client_header_buffers 4 64k;
client_body_buffer_size 20m;
keepalive_timeout 120;

The issue persisted.

Switching to an ECC certificate caused curl to report "Cannot communicate securely with peer: no common encryption algorithm". It was discovered that on RedHat/CentOS curl uses the NSS library, which disables ECC by default. Specifying a cipher list with curl --ciphers ecdhe_rsa_aes_128_gcm_sha_256 ... did not resolve the problem.

Breakthrough

Comparing the Nginx configuration with other sites revealed a missing ssl_session_cache directive. Adding this directive eliminated the reset.

Explanation of ssl_session_cache options:

off – disables session cache entirely.

none – disables storing sessions, though the client may think caching is possible.

builtin – uses an in‑process cache per worker; default size is 20 480 sessions.

shared – creates a cache shared among all workers; size is specified in bytes (e.g., 1 MB stores ~4 000 sessions) and is recommended for better performance.

Recommendation: use the shared option for optimal performance.

Additional Common Nginx Error Log Messages

upstream prematurely closed connection

recv() failed (104: Connection reset by peer)

(111: Connection refused) while connecting to upstream

(110: Connection timed out) while reading response header from upstream

SSL_do_handshake() failed

ngx_slab_alloc() failed: no memory in SSL session shared cache

Tips

tcpdump can capture packets; use Wireshark for detailed analysis.

ECC certificates are smaller and faster than RSA certificates; they are recommended when supported.