diff --git a/.gitignore b/.gitignore
index 5805b27d43687d5e212e0fd9b149f69821fff7ba..4b6639aa311f03d1a721187e9e6094d629a5fcca 100644
--- a/.gitignore
+++ b/.gitignore
@@ -52,3 +52,4 @@ doc
 /cov-int/
 /.vs/
 /build-mtls/
+/build-mingw64/
diff --git a/lib/tls/mbedtls/ssl.c b/lib/tls/mbedtls/ssl.c
index b81f88862b4ddc899c6e811d200d23c53ab98d01..69956f7d2b6d326b90ce72ba1dc5bd849e392107 100644
--- a/lib/tls/mbedtls/ssl.c
+++ b/lib/tls/mbedtls/ssl.c
@@ -99,6 +99,11 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
 	if (n < 0) {
 		m = SSL_get_error(wsi->tls.ssl, n);
 		lwsl_debug("%p: ssl err %d errno %d\n", wsi, m, errno);
+		if (errno == LWS_ENOTCONN) {
+			/* If the socket isn't connected anymore, bail out. */
+			wsi->socket_is_permanently_unusable = 1;
+			return LWS_SSL_CAPABLE_ERROR;
+		}
 		if (m == SSL_ERROR_ZERO_RETURN ||
 		    m == SSL_ERROR_SYSCALL)
 			return LWS_SSL_CAPABLE_ERROR;