Problems porting Openssl 1.1.1d to zos.

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems porting Openssl 1.1.1d to zos.

OpenSSL - User mailing list
Is there anyone on this group with experience with ebcdic platforms,
specifically zOS?  I have built 1.1.1d on zOS and connections to my
server work for firefox 60 but not newer versions.  I don't know exactly
where the cut off is or what they changed but current versions get an
HMAC error.  I strongly suspect that it is keying the hmac with some
combination of inputs that include an improperly translated text string,
but I don't know for sure.  Its quite hard to track down when you don't
have a debugger.

The error message:

> An error occurred during a connection to cafe.na.tibco.com:1802. SSL
> received a record with an incorrect Message Authentication Code. Error
> code: SSL_ERROR_BAD_MAC_READ

If anyone can suggest an approach to figuring this out I'd be grateful.


Wendell Nichols

Reply | Threaded
Open this post in threaded view
|

Re: Problems porting Openssl 1.1.1d to zos.

Matthias St. Pierre

On 11.11.19 16:42, Wendell Nichols via openssl-users wrote:

> Is there anyone on this group with experience with ebcdic platforms, specifically zOS?  I have built 1.1.1d on zOS and connections to my server work for firefox 60 but not newer versions.  I don't know exactly where the cut off is or what they changed but current versions get an HMAC error.  I strongly suspect that it is keying the hmac with some combination of inputs that include an improperly translated text string, but I don't know for sure.  Its quite hard to track down when you don't have a debugger.
>
> The error message:
>
>> An error occurred during a connection to cafe.na.tibco.com:1802. SSL received a record with an incorrect Message Authentication Code. Error code: SSL_ERROR_BAD_MAC_READ
>
> If anyone can suggest an approach to figuring this out I'd be grateful.
>
>
> Wendell Nichols
>

Incidentally, I just merged a pull request that fixed a misspelled EBCDIC string to master and 1.1.1.

https://github.com/openssl/openssl/pull/10396#issuecomment-552506972

But I have no idea whether it is related to your problem. Nevertheless, you might want to retry with the current tip of the OpenSSL_1_1_1-stable branch.


Regards,
Matthias

Reply | Threaded
Open this post in threaded view
|

Re: Problems porting Openssl 1.1.1d to zos.

Matthias St. Pierre
Please see also GitHub issue #4154, in particular

https://github.com/openssl/openssl/issues/4154#issuecomment-552838141


Reply | Threaded
Open this post in threaded view
|

Re: Problems porting Openssl 1.1.1d to zos.

Patrick Steuer-2
In reply to this post by OpenSSL - User mailing list
 > An error occurred during a connection to cafe.na.tibco.com:1802. SSL
 > received a record with an incorrect Message Authentication Code. Error
 > code: SSL_ERROR_BAD_MAC_READ

In case this error occurs with a chacha-poly cipher suite,
the following PR probably has a fix:
https://github.com/openssl/openssl/pull/10417

Patrick