SSL_ERROR_SSL is returned by OpenSSL when a non-recoverable error occurs in the SSL/TLS library during protocol processing. Unlike SSL_ERROR_SYSCALL (which points to I/O/network issues), SSL_ERROR_SSL indicates a problem within the TLS protocol itself. The actual error details are stored in the OpenSSL error queue and can be retrieved with ERR_get_error(). Common causes include protocol violations by the peer, unsupported features, certificate validation failures, and incompatible configurations. The specific error message from the error queue (e.g., 'wrong version number', 'no shared cipher', 'certificate verify failed') is essential for diagnosis.
If the server responds with plain HTTP on what should be an HTTPS port, OpenSSL fails to parse the HTTP response as a TLS record and returns SSL_ERROR_SSL with a message like 'wrong version number'. This often happens with misconfigured servers or load balancers that are not terminating SSL.
The server's certificate could not be verified against the client's trust store. The error queue will contain messages like 'certificate verify failed', 'unable to get local issuer certificate', or 'self signed certificate'.
The client and server cannot agree on security parameters. The error queue will show specific details like 'no shared cipher', 'no protocols available', or 'unsupported protocol'. This often happens when connecting modern clients to very old servers or vice versa.
The SSL_ERROR_SSL return code is just a category — the specific error is in OpenSSL's error queue. Use verbose mode to see the full error string, which will guide further troubleshooting.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>&1 | grep -i 'error\|verify'
Verify that the server is actually serving TLS on the port and not plain HTTP. A common misconfiguration is having HTTP on port 443.
curl -v --connect-timeout 5 https://yourdomain.com/ 2>&1 | head -20
Test certificate verification explicitly to determine if the issue is trust-related. Use the system CA bundle or specify your own.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -verify_return_error -CAfile /etc/ssl/certs/ca-certificates.crt 2>&1 | head -20
Verify the domain resolves to the correct server. If DNS points to the wrong IP, you may be connecting to a server with incompatible TLS settings.
Check DNS RecordsAn I/O error occurred during an SSL operation, typically indicating a network-level problem or abrupt connection termination.
The SSL/TLS library received a record that exceeds the maximum allowed size, usually indicating the server is sending non-TLS data.
The browser could not establish a secure connection because the SSL/TLS protocol negotiation failed.