What are the Schannel TLS fatal alert codes?

schannel
JD Brennan picture JD Brennan · Jun 26, 2020 · Viewed 26.3k times · Source

Where can I find a definition of the Windows Schannel fatal alerts codes that show up in Event Viewer? For instance:

  • A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.
  • A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.

Answer

JD Brennan picture JD Brennan · Jun 26, 2020

The alert codes are defined at:

https://docs.microsoft.com/en-us/windows/win32/secauthn/schannel-error-codes-for-tls-and-ssl-alerts

    40 = SSL3_ALERT_HANDSHAKE_FAILURE
    42 = TLS1_ALERT_BAD_CERTIFICATE
    43 = TLS1_ALERT_UNSUPPORTED_CERT
    44 = TLS1_ALERT_CERTIFICATE_REVOKED
    45 = TLS1_ALERT_CERTIFICATE_EXPIRED
    46 = TLS1_ALERT_CERTIFICATE_UNKNOWN
    48 = TLS1_ALERT_UNKNOWN_CA
    70 = TLS1_ALERT_PROTOCOL_VERSION

Related questions

How to import an OpenSSL key file into the Windows Certificate Store

I've got an OpenSSL generated X.509 certificate in PEM format and it's associated key file. This certificate is required for authentication when connecting to a prototype server. This works fine on Linux. I've been using the Microsoft SChannel API to …

Read More
What is the difference between the DisabledByDefault and Enabled SSL/TLS registry keys on Microsoft Windows?

Microsoft provides best practices guidance for Transport Layer Security (TLS). This document describes registry keys that can enable or disable a specific protocol. https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-schannel-protocols-in-the-windows-registry For example, to enable TLS 1.2, you can …

Read More
Can't connect to the SSL server that use only ephemeral ciphersuites (The Local Security Authority cannot be contacted)

I'm trying to connect to the test server started with openssl (this limited ciphersuite combination is intended): openssl s_server -accept 443 -www -tls1_2 -cipher ECDHE:DHE:EDH -cert selfsignedcert.pem -key sskey.pem The code I use is similar to …

Read More