i found sometimes https 'close notify' from nginx could be lost according to the network. when this packet was lost, nginx wound not retransfer it because nginx had already reset the connection. in this case, some client, e.g. apache httpclient, would fail because of ssl timeout. this case did not occur on apache, because it shutdown ssl first, then turned on lingering close, by which it succeeded to avoid resetting connection.