What is NSS error -5961 (PR_CONNECT_RESET

Can someone enlighten me the meaning of "NSS error -5961 (PR_CONNECT_RESET_ERROR)"?

I am trying to connect to bitbucket.org with "https" protocol but got a refuse from the server. Then, I try to use curl on the command line and see this output.

# curl -v https://bitbucket.org
* About to connect() to bitbucket.org port 443 (#0)
*   Trying 131.103.20.168...
* Connected to bitbucket.org (131.103.20.168) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer

With openssl, I got this output.

# openssl s_client -connect bitbucket.org:443 -msg
CONNECTED(00000003)
>>> TLS 1.2 Handshake [length 00f4], ClientHello
    01 00 00 f0 03 03 55 59 80 fa 72 25 f4 a5 84 49
... <I suspended this Hex value>
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 249 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

microstrip

Posted 2015-05-18T06:21:54.427

Reputation: 323

first try to see if you can telnet to the ip on the same port. if you can't that is the challenge, engage your security team to permit the access and then try again. – Gertrude Aurora – 2019-06-27T08:39:35.630

Answers

TCP connection reset by peer

This error from NSS is the same error you get with openssl (errno=104: ECONNRESET). This simply means, that the peer or some middlebox in between (firewall) is terminating the connection.

Since the site is reachable from my place I would suggest, that there is a firewall on your site blocking the connection. The behavior is fairly typical for DPI firewalls in that the initial TCP connection is allowed but once you send the first data (ClientHello from TLS handshake) it will determine if your access is allowed by policy and let it pass or deny it by injecting a TCP RST.

Steffen Ullrich

Posted 2015-05-18T06:21:54.427

Reputation: 3 897

Thanks a lot for your respond. I am trying to contact network admin to look at firewall configuration. Hope that they will find something in the policy. – microstrip – 2015-05-18T13:38:23.937

Steffen Ullrich: After an update from network admin on the firewall configuration, the ssl communication back to work as normal. Thanks a lot for your idea and support. – microstrip – 2015-05-19T06:15:20.273

yum update curl

solved the problem for me.

Arkadiy Bolotov

Posted 2015-05-18T06:21:54.427

Reputation: 11

4That would indicate its OS/curl version specific. What OS/versions of curl were involved? – Journeyman Geek – 2017-11-01T05:58:58.300

got the same error, solved by using debian-based curl with different crypto library instead of fedora-based version.

Failing version: curl 7.47.1 (x86_64-redhat-linux-gnu) libcurl/7.47.1 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 nghttp2/1.7.1 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets – Joni Nevalainen – 2019-04-25T11:16:36.150

Working version: curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3 Release-Date: 2018-01-24 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL – Joni Nevalainen – 2019-04-25T11:17:21.090

What is NSS error -5961 (PR_CONNECT_RESET_ERROR)

Answers