Why Does curl Reset on Nginx HTTPS? A Step‑by‑Step Diagnosis and Fix

After deploying an HTTPS certificate on a website, the author observed that browsers could access the site normally, but a curl request to the same URL was reset, as shown in the first screenshot.

Initial Checks

The author verified that:

HTTP requests on port 80 succeeded, confirming basic network connectivity.

HTTPS requests to other domains on the same server succeeded, proving that port 443 was reachable.

The certificate was valid and not expired (checked via myssl.com).

Cipher Suite Experiments

Various compatible cipher suites were added to the Nginx configuration, but curl still reset the connection.

"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"

Packet Capture

Using tcpdump and Wireshark, the author captured the handshake. Sixteen packets were exchanged; after the handshake, the first ACK of data transmission was reset. The capture is shown below:

Buffer Settings

To rule out buffer limits, the following Nginx directives were added:

client_header_buffer_size 64k;
large_client_header_buffers 4 64k;
client_body_buffer_size 20m;
keepalive_timeout 120;

These changes did not affect the outcome.

Switching to an ECC Certificate

Replacing the RSA certificate with an ECC one produced a new error:

curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

Research revealed that on RedHat/CentOS, curl uses the NSS library, which disables ECC by default. Specifying a cipher list (e.g., curl --ciphers ecdhe_rsa_aes_128_gcm_sha_256 …) still resulted in the same reset, indicating the issue was not certificate‑related.

Discovery: Missing ssl_session_cache

Comparing the server’s configuration with a working site showed the absence of the ssl_session_cache directive. Adding it resolved the reset problem, as confirmed by a successful curl request.

The Nginx documentation lists four possible values for ssl_session_cache:

off : disables session caching.

none : tells the client a cache may be used but does not store sessions.

builtin : uses an internal OpenSSL cache per worker (default ~20 000 sessions).

shared : creates a shared memory cache; size is specified in bytes (1 MiB ≈ 4000 sessions). Recommended for performance.

Why the Reset Occurred

Further packet analysis showed that, unlike the successful case, the failing handshake included a Server Key Exchange step, indicating a Diffie‑Hellman key exchange. When the server’s ssl_session_cache was too small or missing, the handshake could not complete, leading to a reset.

Common Nginx Error Messages

For reference, the article lists typical error log entries and their meanings (1‑20), covering upstream connection failures, timeouts, SSL handshake errors, and session cache issues.

Additional Tips

Use tcpdump for packet capture; analyze with Wireshark.

ECC certificates are smaller and faster than RSA, and are recommended when client support is available.

By ensuring ssl_session_cache is properly configured, the HTTPS connection works for both browsers and command‑line tools like curl.