I was evaluating some SSL failures, and noticed that when I use curl to one of the failing sites, I got curl: (56) SSL read: errno -5961; however, my google queries for that error didn't show the reason for the openssl failure.
Question:
What does it mean when curl fails with curl: (56) SSL read: errno -5961?
I'm including the complete curl below…
[mpenning@mpenning-lnx ~]$ curl -vk https://192.0.2.168/
* About to connect() to 192.0.2.168 port 443 (#0)
* Trying 192.0.2.168... connected
* Connected to 192.0.2.168 (192.0.2.168) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=foo-console,L=New York,OU=IT Infrastructure,O=Sesame Street
* start date: Aug 21 23:36:51 2013 GMT
* expire date: Aug 21 23:36:51 2015 GMT
* common name: foo-console
* issuer: CN=foo-console,L=New York,OU=IT Infrastructure,O=Sesame Street
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 192.0.2.168
> Accept: */*
>
< HTTP/1.1 200 OK
* SSL read: errno -5961
* Closing connection #0
curl: (56) SSL read: errno -5961
[mpenning@mpenning-lnx ~]$
Best Answer
Summary:
curl: (56) SSL read: errno -5961means that the SSL session timed-out for some reason.In my case, the root cause was a layer2 MTU mismatch, which caused the openssl socket to time out part of the way through the curl transaction. Full MTU-sized TCP packets (i.e. 1500 byte IP payloads) failed because one side of the layer2 tunnel would not allow them through.
Others may see OpenSSL timing out for different reasons, but the key is knowing that this error is due to an OpenSSL timeout.