OpenSSL errno 10054, Schannel error 36887, fatal alert 46
OpenSSL errno 10054,connection refused, whilst trying to connect to our server
10054 is not connection refused, but connection reset by peer. This means, that a TCP connection was successfully established (s_client indicates CONNECTED) but when sending more data from the client to the server the server closed the connection without reading all the data (and send TCP RST back).
While this could be a firewall issue it could also indicate a problem at the server configuration, that is the server accepts the client but then cannot continue because of an invalid configuration. Such invalid configurations might be a missing permissions for the requested data, certificate without usable private key or others. I would suggest that you have a look at the server logs for more information.
I've also seen TCP RST with servers, load balancers or firewalls which do not understand current TLS versions and simply close the connection. Browsers work around this issue by transparently retrying with a lower TLS version. You might try if openssl s_client -ssl3 works against this server and you receive a certificate.
Web Deploy 3.6 - Socket error (10054) and timeout error
The 10054 socket error iscomplete network issue instead of IIS issue. The server side abort the connectionfor some reason. Soyou may need to contact the network provider or add the exception rule if you have IPS.
檢視伺服器的event viewer,發現security目錄下有Schannel的錯誤
The following fatal alert was received: 46.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" /> <EventID>36887</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2021-09-08T05:27:30.642947300Z" /> <EventRecordID>478715</EventRecordID> <Correlation /> <Execution ProcessID="536" ThreadID="5020" /> <Channel>System</Channel> <Computer>VBR-VMW-TF-3.AS-UK.NET</Computer> <Security UserID="S-1-5-18" /> </System> - <EventData> <Data Name="AlertDesc">46</Data> </EventData> </Event>
What are the Schannel TLS fatal alert codes?
The alert codes are defined at:
https://docs.microsoft.com/en-us/windows/win32/secauthn/schannel-error-codes-for-tls-and-ssl-alerts
40 = SSL3_ALERT_HANDSHAKE_FAILURE
42 = TLS1_ALERT_BAD_CERTIFICATE
43 = TLS1_ALERT_UNSUPPORTED_CERT
44 = TLS1_ALERT_CERTIFICATE_REVOKED
45 = TLS1_ALERT_CERTIFICATE_EXPIRED
46 = TLS1_ALERT_CERTIFICATE_UNKNOWN
48 = TLS1_ALERT_UNKNOWN_CA
70 = TLS1_ALERT_PROTOCOL_VERSIONhttps://docs.microsoft.com/en-us/archive/blogs/kaushal/ssltls-alert-protocol-the-alert-codes
|
46 |
certificate_unknown |
An unspecified issue took place while processing the certificate that made it unacceptable. |