ssl_error_rx_record_too_long occurs when the TLS implementation receives data that it interprets as a TLS record with a length field exceeding the maximum allowed record size (16 KB for TLS, plus overhead). In practice, this almost always means the server is not sending TLS data at all — it is sending plain HTTP. When OpenSSL tries to parse an HTTP response as a TLS record, the ASCII bytes are interpreted as a version field and length field, producing a nonsensically large 'record length' that triggers this error. This is one of the most common SSL errors encountered in practice and almost always indicates a port or protocol misconfiguration rather than an actual record size problem.
The most common cause by far. The web server is configured to serve plain HTTP on port 443 instead of HTTPS. When the client sends a TLS ClientHello, the server responds with an HTTP error page, and the client's TLS library tries to parse this as a TLS record.
The client is connecting to a port that serves a different protocol (HTTP, SMTP, SSH, etc.) and attempting TLS. For example, connecting to port 80 with HTTPS instead of port 443.
A load balancer or reverse proxy is decrypting TLS and forwarding plain HTTP to the backend, but the backend is configured to expect TLS connections. Or the load balancer is passing TLS through to a backend that expects plain HTTP.
Connect to port 443 with a plain-text client (not TLS) and see if you get an HTTP response. If you do, the server is misconfigured to serve HTTP on the HTTPS port.
curl -v --insecure http://yourdomain.com:443/ 2>&1 | head -15
Check that the web server's virtual host for port 443 has SSL/TLS enabled. In Nginx, ensure the listen directive includes 'ssl'. In Apache, ensure SSLEngine is 'on'.
nginx -T 2>/dev/null | grep -A5 'listen.*443'
Attempt a TLS handshake to port 443 and observe whether you get a proper TLS response or plain-text data.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>&1 | head -20
Verify port 443 is accessible and not being intercepted by a middlebox that strips TLS.
Scan PortsAn error occurred in the SSL/TLS library itself, typically indicating a protocol violation or internal processing failure.
The browser could not establish a secure connection because the SSL/TLS protocol negotiation failed.
The TLS handshake could not be completed because the client and server failed to negotiate acceptable security parameters.