diff --git a/doc/configuration.txt b/doc/configuration.txt
index a7e8cdd80..5b0aad2f0 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -18030,6 +18030,7 @@ fc_conn_err_str : string
   | 40 | "SOCKS4 Proxy read error during handshake"                                |
   | 41 | "SOCKS4 Proxy deny the request"                                           |
   | 42 | "SOCKS4 Proxy handshake aborted by server"                                |
+  | 43 | "SSL fatal error"                                                         |
   +----+---------------------------------------------------------------------------+
 
 fc_http_major : integer
diff --git a/include/haproxy/connection-t.h b/include/haproxy/connection-t.h
index ed41cff82..4e4b65ee8 100644
--- a/include/haproxy/connection-t.h
+++ b/include/haproxy/connection-t.h
@@ -250,6 +250,8 @@ enum {
 	CO_ER_SOCKS4_RECV,       /* SOCKS4 Proxy read error during handshake */
 	CO_ER_SOCKS4_DENY,       /* SOCKS4 Proxy deny the request */
 	CO_ER_SOCKS4_ABORT,      /* SOCKS4 Proxy handshake aborted by server */
+
+	CO_ERR_SSL_FATAL,        /* SSL fatal error during a SSL_read or SSL_write */
 };
 
 /* error return codes for accept_conn() */
diff --git a/include/haproxy/connection.h b/include/haproxy/connection.h
index 77afb2bb0..7e5ee7e8c 100644
--- a/include/haproxy/connection.h
+++ b/include/haproxy/connection.h
@@ -834,6 +834,8 @@ static inline const char *conn_err_code_str(struct connection *c)
 	case CO_ER_SOCKS4_RECV:    return "SOCKS4 Proxy read error during handshake";
 	case CO_ER_SOCKS4_DENY:    return "SOCKS4 Proxy deny the request";
 	case CO_ER_SOCKS4_ABORT:   return "SOCKS4 Proxy handshake aborted by server";
+
+	case CO_ERR_SSL_FATAL:     return "SSL fatal error";
 	}
 	return NULL;
 }
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b5da625fd..285a7c6ee 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6185,6 +6185,9 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
 				break;
 			} else if (ret == SSL_ERROR_ZERO_RETURN)
 				goto read0;
+			else if (ret == SSL_ERROR_SSL) {
+				conn->err_code = CO_ERR_SSL_FATAL;
+			}
 			/* For SSL_ERROR_SYSCALL, make sure to clear the error
 			 * stack before shutting down the connection for
 			 * reading. */
@@ -6346,6 +6349,9 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
 #endif
 				break;
 			}
+			else if (ret == SSL_ERROR_SSL || ret == SSL_ERROR_SYSCALL) {
+				conn->err_code = CO_ERR_SSL_FATAL;
+			}
 			goto out_error;
 		}
 	}