OpenSSL errno 10054
OpenSSL errno 10054,connection refused, whilst trying to connect to our server
10054 is not connection refused, but connection reset by peer. This means, that a TCP connection was successfully established (s_client indicates CONNECTED) but when sending more data from the client to the server the server closed the connection without reading all the data (and send TCP RST back).
While this could be a firewall issue it could also indicate a problem at the server configuration, that is the server accepts the client but then cannot continue because of an invalid configuration. Such invalid configurations might be a missing permissions for the requested data, certificate without usable private key or others. I would suggest that you have a look at the server logs for more information.
I've also seen TCP RST with servers, load balancers or firewalls which do not understand current TLS versions and simply close the connection. Browsers work around this issue by transparently retrying with a lower TLS version. You might try if openssl s_client -ssl3 works against this server and you receive a certificate.
https://accedian.com/blog/diagnose-tcp-connection-setup-issues/
wireshark抓包发现是,tcp三次握手没有成功建立。客户端发送sync包,服务器没有回复sync+ack包。所以应该是防火墙问题导致的,服务器外部可能存在load balancer进行了拦截
Here are common failure cases:
- A firewall denies those connections. In this case, you could apply the same query to client zones (in the same menu) to see if the IPs are in the same zone.
- The server does not exist anymore or is not available. This happens frequently when a server IP is changed, yet some clients continue to query the old one.
Web Deploy 3.6 - Socket error (10054) and timeout error
The 10054 socket error is complete network issue instead of IIS issue. The server side abort the connection for some reason. So you may need to contact the network provider or add the exception rule if you have IPS.
查看服务器的event viewer,发现security目录下有Schannel的错误
The following fatal alert was received: 46. 这个是自签证书的问题
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" /> <EventID>36887</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2021-09-08T05:27:30.642947300Z" /> <EventRecordID>478715</EventRecordID> <Correlation /> <Execution ProcessID="536" ThreadID="5020" /> <Channel>System</Channel> <Computer>VBR-VMW-TF-3.AS-UK.NET</Computer> <Security UserID="S-1-5-18" /> </System> - <EventData> <Data Name="AlertDesc">46</Data> </EventData> </Event>
What are the Schannel TLS fatal alert codes?
The alert codes are defined at:
https://docs.microsoft.com/en-us/windows/win32/secauthn/schannel-error-codes-for-tls-and-ssl-alerts
40 = SSL3_ALERT_HANDSHAKE_FAILURE
42 = TLS1_ALERT_BAD_CERTIFICATE
43 = TLS1_ALERT_UNSUPPORTED_CERT
44 = TLS1_ALERT_CERTIFICATE_REVOKED
45 = TLS1_ALERT_CERTIFICATE_EXPIRED
46 = TLS1_ALERT_CERTIFICATE_UNKNOWN
48 = TLS1_ALERT_UNKNOWN_CA
70 = TLS1_ALERT_PROTOCOL_VERSION
https://docs.microsoft.com/en-us/archive/blogs/kaushal/ssltls-alert-protocol-the-alert-codes
|
46 |
certificate_unknown |
An unspecified issue took place while processing the certificate that made it unacceptable. |
The security certificate presented by this website was issued for a different website's address.
The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
https://www.ietf.org/rfc/rfc4346.txt
7.2. Alert Protocol
One of the content types supported by the TLS Record layer is
the alert type. Alert messages convey the severity of the
message and a description of the alert. Alert messages with a
level of fatal result in the immediate termination of the
connection. In this case, other connections corresponding to
the session may continue, but the session identifier MUST be
invalidated, preventing the failed session from being used to
establish new connections. Like other messages, alert messages
are encrypted and compressed, as specified by the current
connection state.
enum { warning(1), fatal(2), (255) } AlertLevel;
enum {
close_notify(0),
unexpected_message(10),
bad_record_mac(20),
decryption_failed(21),
record_overflow(22),
decompression_failure(30),
handshake_failure(40),
no_certificate_RESERVED (41),
bad_certificate(42),
unsupported_certificate(43),
certificate_revoked(44),
certificate_expired(45),
certificate_unknown(46),
illegal_parameter(47),
unknown_ca(48),
Event ID 36887: A Fatal Alert Was Received
The TLS alert sub-protocol uses messages to indicate a change in status or an error condition to the peer. There are a wide variety of alerts to notify the peer of both normal and error conditions. Alerts are commonly sent when the connection is closed, a message which is not valid is received, a message cannot be decrypted, or the user cancels the operation. The IETF specification, RFC 4346, contains descriptions of the closure alerts and error alerts.
This alert message indicates this computer received a TLS or SSL fatal alert message from the server it was communicating or negotiating with. The error indicates a state in the communication process, not necessarily a problem with the application. However, the cause could be how the application, such as a web browser, handled the communication.
The desktop app, using SCHANNEL_ALERT_TOKEN, generates a SSL or TLS alert to be sent to the target of a call to either the InitializeSecurityContext (Schannel) function or the AcceptSecurityContext (Schannel) function. The two alert types are warning and fatal. With a fatal error, the connection is closed immediately.
Event Details
| Product | Windows Operating |
| ID | 36887 |
| Source | Schannel |
| Version | 6.1 6.2 |
| Symbolic Name | SSLEVENT_RECEIVE_FATAL_ALERT |
