Failed to read beginning of SSL/TLS record – can be caused by External Firewall

The following error was recently reported:

...
      Connecting to POP3 server
      hostname: outlook.office365.com
      port: 995
      tls: True
      connectTimeoutMs: 30000
      isInSshTunnel: 0
      socket2Connect:
        connect2:
          connectImplicitSsl:
            clientHandshake:
              clientHandshake2:
                readHandshakeMessages:
                  WindowsError: An existing connection was forcibly closed by the remote host.
                  WindowsErrorCode: 0x2746
                  maxToReceive: 5
                  Failed to receive data on the TCP socket
                  Failed to read beginning of SSL/TLS record.
                  b: 0
                  dbSize: 0
                  nReadNBytes: 0
                  idleTimeoutMs: 30000
                --readHandshakeMessages
              --clientHandshake2
            --clientHandshake
            Client handshake failed. (3)
...

The initial TCP connection to the host:port succeeds, but then the initial read of the TLS ClientHello (the 1st message sent in the SSL/TLS handshake) fails with the above error.

There may be other causes, but in this case the issue was caused by an external firewall. Perhaps a firewall with stateful packet inspection. The user made adjustments to the firewall (and I don’t know the details), and connections seem to working reliably again.

Tags :