SSL_ERROR_SYSCALL is returned by OpenSSL when a non-recoverable I/O error occurs during an SSL operation. This is not an SSL/TLS protocol error but rather indicates that the underlying system call (read, write, connect) failed. The most common manifestation is 'errno=0' which means the remote peer closed the connection without sending a proper TLS close_notify alert — an abrupt disconnection. It can also come with specific errno values that point to network problems: ECONNRESET (connection reset by peer), EPIPE (broken pipe), or ETIMEDOUT (connection timed out). This error is extremely common in production environments and usually indicates network instability, server crashes, or aggressive timeouts.
The server terminated the TCP connection without sending a TLS close_notify. This happens when the server process crashes, is killed by the OOM killer, or the server's firewall drops the connection. The 'errno=0' variant specifically indicates an unexpected EOF.
A firewall, NAT device, or load balancer timed out the idle connection and dropped it without sending a RST packet. This is common with long-lived connections (like database connections) that sit idle longer than the network device's timeout.
A firewall or IDS/IPS between client and server forcibly reset the connection by injecting a TCP RST packet. This happens when the network device detects activity it considers suspicious or when its connection table overflows.
Verify the server is up and accepting connections on the expected port. A port scan will confirm if the port is open and responding.
Scan PortsUse openssl s_client to attempt a connection and observe whether it completes or gets interrupted. Watch for EOF or connection reset messages.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
Examine the server's application and system logs for OOM kills, segfaults, or process restarts that coincide with the SSL_ERROR_SYSCALL errors.
sudo dmesg | grep -i 'oom\|killed' && sudo journalctl -u nginx --since '1 hour ago' --no-pager | tail -20
If the error occurs on idle connections, configure keep-alive settings and connection pool timeouts to be shorter than any intermediate network device's idle timeout. Most load balancers have a 60-second idle timeout.
An error occurred in the SSL/TLS library itself, typically indicating a protocol violation or internal processing failure.
The TLS connection was shut down cleanly by the peer sending a close_notify alert.
The TLS handshake could not be completed because the client and server failed to negotiate acceptable security parameters.