SSL handshake error when connecting to Mailgun API endpoint - unexpected EOF during reading

Finn_Mystery · July 14, 2025, 7:25am

I’ve been dealing with a frustrating SSL connection issue when trying to reach Mailgun’s API using curl. The strange part is that this problem only happens on one specific server.

When I run this command:

curl -vvv 'https://api.eu.mailgun.net/'

I get this error output:

* Connected to api.eu.mailgun.net (34.111.145.192) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, decode error (562):
* error:0A000126:SSL routines::unexpected eof while reading
* Closing connection 0
curl: (35) error:0A000126:SSL routines::unexpected eof while reading

My curl version info:

curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.14

I tested the same curl version on another server with identical setup and it works fine there. I suspect this might be related to certificate issues. When I test the SSL connection directly with openssl:

openssl s_client -connect api.eu.mailgun.net:443 -CApath /etc/ssl/certs

I see this result:

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Running Ubuntu 22.04. Any ideas what could be causing this server-specific SSL issue?

olivias · July 25, 2025, 5:51am

Had this exact error on Ubuntu 22.04 with OpenSSL 3.0.2. My server had stricter cipher suite configs than my working ones. Check /etc/ssl/openssl.cnf for custom cipher settings or security level changes. I temporarily lowered the security level to test, then tightened it back up gradually. Also check if you’ve got custom SSL policies from update-crypto-policies or similar tools blocking TLS negotiations that Mailgun needs.

Alex_Thunder · July 21, 2025, 8:45am

sounds like a firewall or proxy issue tbh. ive had similar weird ssl errors - turned out our corporate firewall was messing with tls handshakes. try running ss -tuln to see what’s listening, and maybe test from a different network if you can?

charlottew · July 21, 2025, 1:48am

This screams network infrastructure problem, not client config. I hit the same thing when our hosting provider upgraded their edge routers - SSL handshakes kept dropping because of packet inspection or bandwidth throttling. That ‘write:errno=104’ from your openssl test? Classic connection reset at the network level. Try forcing different TLS versions with curl - use ‘–tlsv1.2’ or ‘–tlsv1.3’ to see if either works. Also check if your server’s got traffic shaping or QoS rules messing with HTTPS connections to certain IP ranges.