OpenSSL errno 10054

OpenSSL errno 10054,connection refused, whilst trying to connect to our server

10054 is not connection refused, but connection reset by peer. This means, that a TCP connection was successfully established (s_client indicates CONNECTED) but when sending more data from the client to the server the server closed the connection without reading all the data (and send TCP RST back).

While this could be a firewall issue it could also indicate a problem at the server configuration, that is the server accepts the client but then cannot continue because of an invalid configuration. Such invalid configurations might be a missing permissions for the requested data, certificate without usable private key or others. I would suggest that you have a look at the server logs for more information.

I've also seen TCP RST with servers, load balancers or firewalls which do not understand current TLS versions and simply close the connection. Browsers work around this issue by transparently retrying with a lower TLS version. You might try if openssl s_client -ssl3 works against this server and you receive a certificate.

 

https://accedian.com/blog/diagnose-tcp-connection-setup-issues/

wireshark抓包发现是，tcp三次握手没有成功建立。客户端发送sync包，服务器没有回复sync+ack包。所以应该是防火墙问题导致的，服务器外部可能存在load balancer进行了拦截

Here are common failure cases:

• A firewall denies those connections. In this case, you could apply the same query to client zones (in the same menu) to see if the IPs are in the same zone.
• The server does not exist anymore or is not available. This happens frequently when a server IP is changed, yet some clients continue to query the old one.

 

Web Deploy 3.6 - Socket error (10054) and timeout error

The 10054 socket error is complete network issue instead of IIS issue. The server side abort the connection for some reason. So you may need to contact the network provider or add the exception rule if you have IPS.

 

查看服务器的event viewer，发现security目录下有Schannel的错误

The following fatal alert was received: 46. 这个是自签证书的问题

 

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" /> 
  <EventID>36887</EventID> 
  <Version>0</Version> 
  <Level>2</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2021-09-08T05:27:30.642947300Z" /> 
  <EventRecordID>478715</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="536" ThreadID="5020" /> 
  <Channel>System</Channel> 
  <Computer>VBR-VMW-TF-3.AS-UK.NET</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="AlertDesc">46</Data> 
  </EventData>
  </Event>

 

What are the Schannel TLS fatal alert codes?

The alert codes are defined at:

https://docs.microsoft.com/en-us/windows/win32/secauthn/schannel-error-codes-for-tls-and-ssl-alerts

    40 = SSL3_ALERT_HANDSHAKE_FAILURE
    42 = TLS1_ALERT_BAD_CERTIFICATE
    43 = TLS1_ALERT_UNSUPPORTED_CERT
    44 = TLS1_ALERT_CERTIFICATE_REVOKED
    45 = TLS1_ALERT_CERTIFICATE_EXPIRED
    46 = TLS1_ALERT_CERTIFICATE_UNKNOWN
    48 = TLS1_ALERT_UNKNOWN_CA
    70 = TLS1_ALERT_PROTOCOL_VERSION

 

https://docs.microsoft.com/en-us/archive/blogs/kaushal/ssltls-alert-protocol-the-alert-codes

46

certificate_unknown

An unspecified issue took place while processing the certificate that made it unacceptable.

 

 

 

 

The security certificate presented by this website was issued for a different website's address.

The security certificate presented by this website was not issued by a trusted certificate authority.

 

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

 

https://www.ietf.org/rfc/rfc4346.txt

7.2. Alert Protocol

         One of the content types supported by the TLS Record layer is
         the alert type.  Alert messages convey the severity of the
         message and a description of the alert.  Alert messages with a
         level of fatal result in the immediate termination of the
         connection.  In this case, other connections corresponding to
         the session may continue, but the session identifier MUST be
         invalidated, preventing the failed session from being used to
         establish new connections.  Like other messages, alert messages
         are encrypted and compressed, as specified by the current
         connection state.

             enum { warning(1), fatal(2), (255) } AlertLevel;

             enum {
                 close_notify(0),
                 unexpected_message(10),
                 bad_record_mac(20),
                 decryption_failed(21),
                 record_overflow(22),
                 decompression_failure(30),
                 handshake_failure(40),
                 no_certificate_RESERVED (41),
                 bad_certificate(42),
                 unsupported_certificate(43),
                 certificate_revoked(44),
                 certificate_expired(45),
                 certificate_unknown(46),
                 illegal_parameter(47),
                 unknown_ca(48),

 

 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786445(v=ws.11)?redirectedfrom=MSDN

Event ID 36887: A Fatal Alert Was Received

The TLS alert sub-protocol uses messages to indicate a change in status or an error condition to the peer. There are a wide variety of alerts to notify the peer of both normal and error conditions. Alerts are commonly sent when the connection is closed, a message which is not valid is received, a message cannot be decrypted, or the user cancels the operation. The IETF specification, RFC 4346, contains descriptions of the closure alerts and error alerts.

This alert message indicates this computer received a TLS or SSL fatal alert message from the server it was communicating or negotiating with. The error indicates a state in the communication process, not necessarily a problem with the application. However, the cause could be how the application, such as a web browser, handled the communication.

The desktop app, using SCHANNEL_ALERT_TOKEN, generates a SSL or TLS alert to be sent to the target of a call to either the InitializeSecurityContext (Schannel) function or the AcceptSecurityContext (Schannel) function. The two alert types are warning and fatal. With a fatal error, the connection is closed immediately.

Event Details

Product	Windows Operating
ID	36887
Source	Schannel
Version	6.1 6.2
Symbolic Name	SSLEVENT_RECEIVE_FATAL_ALERT

 

作者:Chuck Lu    GitHub