"bad record mac" error

[Haihong Wang]

Recently I found that SSL-enabled server using openssl (version 0.9.6j) can 
not talk correctly to Netscape browser (and IE). I am using stunnel v4.04 
as SSL server to accept https requests from client browsers, but client 
browsers always complain of "bad message authentication". The stunnel log 
shows:

2003.03.05 13:20:33 LOG7[2417:8194]: SSL state (accept): SSLv3 read client 
hello A
2003.03.05 13:20:33 LOG7[2417:8194]: SSL state (accept): SSLv3 write server 
hello A
2003.03.05 13:20:33 LOG7[2417:8194]: SSL state (accept): SSLv3 write 
certificate A
2003.03.05 13:20:33 LOG7[2417:8194]: SSL state (accept): SSLv3 write server 
done A
2003.03.05 13:20:33 LOG7[2417:8194]: SSL state (accept): SSLv3 flush data
2003.03.05 13:20:33 LOG7[2417:8194]: waitforsocket: FD=8, DIR=read
2003.03.05 13:20:35 LOG7[2417:8194]: waitforsocket: ok
2003.03.05 13:20:35 LOG7[2417:8194]: SSL state (accept): SSLv3 read client 
key exchange A
2003.03.05 13:20:35 LOG7[2417:8194]: waitforsocket: FD=8, DIR=read
2003.03.05 13:20:35 LOG7[2417:8194]: waitforsocket: ok
2003.03.05 13:20:35 LOG7[2417:8194]: SSL alert (write): fatal: bad record mac
2003.03.05 13:20:35 LOG3[2417:8194]: SSL_accept: 1408F455: 
error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

And if I use wget or openssl utility (they all use openssl lib) to connect 
to the same server, they do not have the same problem. I also used the 
ssldump to record the sessions for both bad and good cases:

Bad case (use Netscape 4.76):

5 1  0.0000 (0.0000)  C>S SSLv2 compatible client hello
  Version 3.0
  cipher suites
  SSL2_CK_RC4
  SSL2_CK_RC4_EXPORT40
  SSL2_CK_RC2
  SSL2_CK_RC2_EXPORT40
  SSL2_CK_DES
  SSL2_CK_3DES
  SSL_RSA_WITH_RC4_128_MD5
  Unknown value 0xfeff
  SSL_RSA_WITH_3DES_EDE_CBC_SHA
  Unknown value 0xfefe
  SSL_RSA_WITH_DES_CBC_SHA
  SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
  SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
  SSL_RSA_EXPORT_WITH_RC4_40_MD5
  SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
5 2  0.0000 (0.0000)  S>CV3.0(74)  Handshake
      ServerHello
        Version 3.0
        random[32]=
          3e 65 f4 d3 41 6a 20 ec 4f 66 62 b5 0b fe 15 91
          d6 aa f1 28 62 9f 2e 17 c8 a2 f8 cf a7 2e 15 e0
        session_id[32]=
          fc f0 55 46 a0 0d b6 c4 89 16 9f 58 ed c7 c6 30
          0d a9 1f 9f d4 40 04 f9 be 64 4e 9e 0d f2 4e 7b
        cipherSuite         SSL_RSA_WITH_RC4_128_MD5
        compressionMethod                   NULL
5 3  0.0000 (0.0000)  S>CV3.0(682)  Handshake
      Certificate
5 4  0.0000 (0.0000)  S>CV3.0(4)  Handshake
      ServerHelloDone
5 5  1.0900 (1.0900)  C>SV3.0(132)  Handshake
      ClientKeyExchange
        EncryptedPreMasterSecret[128]=
          67 e7 bd 85 03 b8 5f a3 57 f0 f2 b6 63 8d d7 1b
          ea 65 f1 53 ef 6b 32 0b 49 a3 30 02 4c 91 8f 57
          bc 9c d0 55 52 f9 5c b7 f3 70 28 db a9 8a 48 35
          4a ae b7 1b 09 57 5d 16 08 7e 15 0e 81 e9 04 90
          79 19 bb de 97 8b 46 be d9 a9 bc 05 fe 5a 99 d9
          b0 64 19 a1 24 9a f4 d0 6a 1b 74 ac 2e 03 3e d2
          59 8b be 3a 56 a0 01 d9 ca e3 c2 97 8f 51 3f b8
          07 bb f0 83 8d d6 2a b0 c8 30 a1 78 d7 18 35 de
5 6  1.1300 (0.0400)  C>SV3.0(1)  ChangeCipherSpec
5 7  1.1300 (0.0000)  C>SV3.0(56)  Handshake
      Finished
        md5_hash[16]=
          2c 58 12 bc a7 ff 00 d1 b0 c5 77 85 45 d9 16 49
        sha_hash[20]=
          c0 8f ca 4b f4 ed 68 64 04 aa ea 4e ca ce c4 61
          e3 af 05 0a
5 8  1.1400 (0.0100)  S>CV3.0(2)  Alert
    level           fatal
    value           bad_record_mac
5    1.1400 (0.0000)  S>C  TCP RST
Good case (use openssl, and intentionally forced it to use the same cipher 
as Netscape used):

9 1  0.0100 (0.0100)  C>S SSLv2 compatible client hello
  Version 3.0
  cipher suites
  SSL_RSA_WITH_RC4_128_MD5
  SSL2_CK_RC464
  SSL2_CK_RC4
9 2  0.0100 (0.0000)  S>CV3.0(74)  Handshake
      ServerHello
        Version 3.0
        random[32]=
          3e 65 f9 51 0e 40 11 43 04 64 d1 d8 e2 eb 52 21
          6a e5 15 b8 4f 8c 4e 80 dc 2a b1 b1 9b c3 b0 58
        session_id[32]=
          49 ec 52 81 6d 4a 53 25 25 72 f0 6e 17 78 60 9a
          34 3f ba 62 58 e7 b6 56 67 89 f5 c6 0f 28 18 97
        cipherSuite         SSL_RSA_WITH_RC4_128_MD5
        compressionMethod                   NULL
9 3  0.0100 (0.0000)  S>CV3.0(682)  Handshake
      Certificate
9 4  0.0100 (0.0000)  S>CV3.0(4)  Handshake
      ServerHelloDone
9 5  0.0100 (0.0000)  C>SV3.0(132)  Handshake
      ClientKeyExchange
        EncryptedPreMasterSecret[128]=
          14 6b bf a3 6d ea 9b e9 bb 08 a6 cf 27 b5 c1 ca
          bc 49 33 e6 e3 a1 da 01 fa b3 95 f7 7f a3 74 27
          b9 98 f1 58 9d ab a4 a6 33 10 94 8f 8c f5 f3 0c
          8d 59 7b 4f 30 d7 c4 f3 35 06 a0 6d 2d dc 10 27
          6f fd 60 39 08 cb 6c ee 22 6f de ea 8f 32 31 8a
          68 9a 23 ea c7 4b d2 08 ad a6 08 d4 e0 a6 91 3c
          79 37 ec 4c 1f d0 d1 c5 22 7d f8 52 9d 9f 05 97
          e9 a1 d3 b0 e3 46 69 a4 65 8c 92 9a 1b b4 15 4c
9 6  0.0100 (0.0000)  C>SV3.0(1)  ChangeCipherSpec
9 7  0.0100 (0.0000)  C>SV3.0(56)  Handshake
9 8  0.0200 (0.0100)  S>CV3.0(1)  ChangeCipherSpec
9 9  0.0200 (0.0000)  S>CV3.0(56)  Handshake
9 10 9.6400 (9.6200)  C>SV3.0(31)  application_data
9 11 9.8000 (0.1600)  C>SV3.0(17)  application_data
9 12 9.8100 (0.0100)  S>CV3.0(776)  application_data
9 13 9.8100 (0.0000)  S>CV3.0(18)  Alert
9    9.8100 (0.0000)  S>C  TCP FIN
9 14 9.8100 (0.0000)  C>SV3.0(18)  Alert
9    9.8100 (0.0000)  C>S  TCP FIN
Does any openssl developer have any clue what goes wrong? Thanks very much.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]