decryption failed or bad record mac error on SSL connection

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

decryption failed or bad record mac error on SSL connection

gperrow

 

I am seeing an error on some SSL connections between two different Windows machines. Both are using OpenSSL 1.0.1e. The error is:

 

3612:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:.\ssl\s3_pkt.c:484:

 

This shows up on a connection (the TLS client, if it matters) while downloading a large amount of data (a 70 MB file). The amount of data I can send/receive before the error happens differs but is rarely more than about 400 KB. Some googling showed many reports saying this was related to AES-NI, and that I should disable it using the OPENSSL_ia32cap environment variable, but this did not fix the problem. Plus it seems that my version of OpenSSL should contain the fix anyway.

 

I’m using SSLv23_server_method() and SSL23_client_method() on the server and client respectively. The opts I’m using are SSL_OP_ALL|SSL_OP_NO_SSLv2, and the ciphers are “AES256-SHA:AES128-SHA:RC4-MD5”.

 

Anyone know what else might cause this problem or how I can avoid it?

 

Graeme Perrow

 

 

Reply | Threaded
Open this post in threaded view
|

RE: decryption failed or bad record mac error on SSL connection

david.lloyd
Hi,

The bad MAC (message authentication context) error is OpenSSL detecting a problem with the integrity of your communication layer.  Normally this means that your packets are out of order or that you have lost some bytes.

Try doing a simple checksum of your encrypted data client and server side.  You'll probably find that you've miscalculated a buffer size or something.  Maybe you've got some packet fragmentation...

David L


> Message Received: Oct 03 2013, 07:30 PM
> From: "Perrow, Graeme" <[hidden email]>
> To: "[hidden email]" <[hidden email]>
> Cc:
> Subject: decryption failed or bad record mac error on SSL connection
>
>
> I am seeing an error on some SSL connections between two different Windows machines. Both are using OpenSSL 1.0.1e. The error is:
>
> 3612:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:.\ssl\s3_pkt.c:484:
>
> This shows up on a connection (the TLS client, if it matters) while downloading a large amount of data (a 70 MB file). The amount of data I can send/receive before the error happens differs but is rarely more than about 400 KB. Some googling showed many reports saying this was related to AES-NI, and that I should disable it using the OPENSSL_ia32cap environment variable, but this did not fix the problem. Plus it seems that my version of OpenSSL should contain the fix anyway.
>
> I'm using SSLv23_server_method() and SSL23_client_method() on the server and client respectively. The opts I'm using are SSL_OP_ALL|SSL_OP_NO_SSLv2, and the ciphers are "AES256-SHA:AES128-SHA:RC4-MD5".
>
> Anyone know what else might cause this problem or how I can avoid it?
>
> Graeme Perrow
>
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: decryption failed or bad record mac error on SSL connection

gperrow
This is certainly possible and I'm looking through my code now. But the same library code has been working for ten years on the Mac platform and now I'm porting it over to Windows and Linux.

Any other suggestions are welcome.

Graeme


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, October 03, 2013 4:35 PM
To: [hidden email]; [hidden email]
Subject: RE: decryption failed or bad record mac error on SSL connection

Hi,

The bad MAC (message authentication context) error is OpenSSL detecting a problem with the integrity of your communication layer.  Normally this means that your packets are out of order or that you have lost some bytes.

Try doing a simple checksum of your encrypted data client and server side.  You'll probably find that you've miscalculated a buffer size or something.  Maybe you've got some packet fragmentation...

David L


> Message Received: Oct 03 2013, 07:30 PM
> From: "Perrow, Graeme" <[hidden email]>
> To: "[hidden email]" <[hidden email]>
> Cc:
> Subject: decryption failed or bad record mac error on SSL connection
>
>
> I am seeing an error on some SSL connections between two different Windows machines. Both are using OpenSSL 1.0.1e. The error is:
>
> 3612:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:.\ssl\s3_pkt.c:484:
>
> This shows up on a connection (the TLS client, if it matters) while downloading a large amount of data (a 70 MB file). The amount of data I can send/receive before the error happens differs but is rarely more than about 400 KB. Some googling showed many reports saying this was related to AES-NI, and that I should disable it using the OPENSSL_ia32cap environment variable, but this did not fix the problem. Plus it seems that my version of OpenSSL should contain the fix anyway.
>
> I'm using SSLv23_server_method() and SSL23_client_method() on the server and client respectively. The opts I'm using are SSL_OP_ALL|SSL_OP_NO_SSLv2, and the ciphers are "AES256-SHA:AES128-SHA:RC4-MD5".
>
> Anyone know what else might cause this problem or how I can avoid it?
>
> Graeme Perrow
>
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
:��I"Ϯ��r�m���� (���Z+�7�zZ)���1���x ��h���W^��^��%����&jם.+-1�ځ��j:+v�������h�