On Fri, Feb 20, 2004, Shea Janet B CRBE wrote: > Everyone - > > I am having trouble using SSL with apache for my website. > > Things will go along fine for a while - getting every page that I ask > for. Then, after an unpredictable amount of time, I will get "The page > cannot be displayed" in my browser window and the following message will > be written to apache's error_log: > > [Fri Feb 20 14:14:06 2004] [error] mod_ssl: SSL handshake failed (server > scribe. dt.navy.mil:443, client xxx.xxx.xxx.xxx) (OpenSSL library error > follows) [Fri Feb 20 14:14:06 2004] [error] OpenSSL: error:1408F455:SSL > routines:SSL3_GET _RECORD:decryption failed or bad record mac > > It is always the same ssl error. I have tried reading the openssl > documentation and searching in the archives, but I have found very little > to help me. > > I am wondering if the base problem is with openssl. When I compile it, > the configure and make appear to progress with no errors, but make test > will fail somplace within the bn_* tests. The exact failure varies, even > with simply repeating the make test step. I have tried this with > openssl-0.9.6l and with openssl-0.9.7c. By the way, I did see the > reference to errstr in the INSTALL document, but it does not exist as an > executable on my system - only as .c and .o files. (I went ahead and did > make install with the 0.9.6l version, despite the make test problems, > hoping that the errors were not significant, but ...) > > Pointers would be appreciated very much! > > Applicable software: > > Solaris 7 Apache 1.3.29 mod_ssl 2.8.16 egd 0.9 openssl 0.9.6l or > openssl 0.9.7c > >
The actual command is 'openssl errstr error_number' but that wont help in this case because you already have the human readable error message. When SSL data is being transferred various consistency checks are made at various times to ensure that the data is being transferred intact and no corruption (accidental or malicious) is taking place. That error message means one of the integrity checks has failed. There are several possible reasons for that error. It could be data corruption or it could be that your OpenSSL build isn't performing some caculation correctly at some point. Your test failure with bn suggest the latter. This could be due to a problem with OpenSSL or it could be a compiler bug of some sort. What C compiler are you using? Could you recompile OpenSSL with a newer version of the C compiler? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
