problem with Negotiated ciphers: AES256-SHA

Maddalena . Pulcini Mon, 04 Apr 2005 00:39:19 -0700

Hi, someone could help me?

I am using stunnel (4.07) as ssl client (with libeay32.dll and libssl32.dll  
version 0.9.7f) to do telnet to my router with ssl server (openssl 0.9.7d
 source modified to run in my machine).

After protocol handshake I get this error:

SSL_read: 1408F455: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption
       failed or bad record mac problem


Stunnel is configured in this way:

==========================
client = yes

debug=7
cert=clcert.pem
[telnet]
accept = 23
connect = 10.36.3.144:4433
==========================

My router's configuration is:

==========================
-Verify 4
-cert cert.pem
==========================

The exchange of packets:

==========================
client sends=======>      Client Hello
server sends======>       Server Hello,Certificate, Certificate Request,Server 
Hello Done
client sends======>        Certificate, Client Key Exchange, Certificate 
Verify, Change Cipher Spec, Encrypted Handshake Message

server sends=====>         Change Cipher Spec, Encrypted Handshake Message and 
then Application Data.

After sending a number of Application Data by the server, client sends 
Encrypted Alert and closes the connection.
Having debug on stunnel client I can see:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2005.03.15 11:13:44 LOG5[2040:3964]: stunnel 4.07 on x86-pc-mingw32-gnu 
WIN32+IPv6 with OpenSSL 0.9.8-dev XX xxx XXXX
2005.03.15 11:13:44 LOG7[2040:2376]: Snagged 64 random bytes from C:/.rnd
2005.03.15 11:13:44 LOG7[2040:2376]: Wrote 1024 new random bytes to C:/.rnd
2005.03.15 11:13:44 LOG7[2040:2376]: RAND_status claims sufficient entropy for 
the PRNG
2005.03.15 11:13:44 LOG6[2040:2376]: PRNG seeded successfully
2005.03.15 11:13:44 LOG7[2040:2376]: Certificate: clcert.pem
2005.03.15 11:13:44 LOG7[2040:2376]: Key file: clcert.pem
2005.03.15 11:13:44 LOG5[2040:2376]: No limit detected for the number of clients
2005.03.15 11:13:44 LOG7[2040:2376]: FD 188 in non-blocking mode
2005.03.15 11:13:44 LOG7[2040:2376]: SO_REUSEADDR option set on accept socket
2005.03.15 11:13:44 LOG7[2040:2376]: telnet bound to 0.0.0.0:23
2005.03.15 11:13:54 LOG7[2040:2376]: telnet accepted FD=192 from 127.0.0.1:1589
2005.03.15 11:13:54 LOG7[2040:2376]: FD 192 in non-blocking mode
2005.03.15 11:13:54 LOG7[2040:2376]: Creating a new thread
2005.03.15 11:13:54 LOG7[2040:2376]: New thread created
2005.03.15 11:13:54 LOG7[2040:3588]: telnet started
2005.03.15 11:13:54 LOG5[2040:3588]: telnet connected from 127.0.0.1:1589
2005.03.15 11:13:54 LOG7[2040:3588]: FD 224 in non-blocking mode
2005.03.15 11:13:54 LOG7[2040:3588]: telnet connecting 10.36.3.144:4433
2005.03.15 11:13:54 LOG7[2040:3588]: connect_wait: waiting 10 seconds
2005.03.15 11:13:54 LOG7[2040:3588]: connect_wait: connected
2005.03.15 11:13:54 LOG7[2040:3588]: Remote FD=224 initialized
2005.03.15 11:13:54 LOG7[2040:3588]: SSL state (connect): before/connect 
initialization
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write client 
hello A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server 
hello A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server 
certificate A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server 
certificate request A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server 
done A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write client 
certificate A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write client 
key exchange A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write 
certificate verify A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write change 
cipher spec A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write finished A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 flush data
2005.03.15 11:14:26 LOG7[2040:3588]: SSL state (connect): SSLv3 read finished A
2005.03.15 11:14:26 LOG7[2040:3588]:    1 items in the session cache
2005.03.15 11:14:26 LOG7[2040:3588]:    1 client connects (SSL_connect())
2005.03.15 11:14:26 LOG7[2040:3588]:    1 client connects that finished
2005.03.15 11:14:26 LOG7[2040:3588]:    0 client renegotiatations requested
2005.03.15 11:14:26 LOG7[2040:3588]:    0 server connects (SSL_accept())
2005.03.15 11:14:26 LOG7[2040:3588]:    0 server connects that finished
2005.03.15 11:14:26 LOG7[2040:3588]:    0 server renegotiatiations requested
2005.03.15 11:14:26 LOG7[2040:3588]:    0 session cache hits
2005.03.15 11:14:26 LOG7[2040:3588]:    0 session cache misses
2005.03.15 11:14:26 LOG7[2040:3588]:    0 session cache timeouts
2005.03.15 11:14:26 LOG6[2040:3588]: SSL connected: new session negotiated
2005.03.15 11:14:26 LOG6[2040:3588]: Negotiated ciphers: AES256-SHA             
 SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
2005.03.15 11:14:41 LOG7[2040:3588]: SSL alert (write): fatal: bad record mac
2005.03.15 11:14:41 LOG3[2040:3588]: SSL_read: 1408F455: error:1408F455:SSL 
routines:SSL3_GET_RECORD:decryption failed or bad record mac
2005.03.15 11:14:41 LOG5[2040:3588]: Connection reset: 17 bytes sent to SSL, 
190 bytes sent to socket
2005.03.15 11:14:41 LOG7[2040:3588]: telnet finished (0 left)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


If I choise another kind of cipher it works fine; for example I use this 
configuration

==========================
client = yes

debug=7
cert=clcert.pem
ciphers = RC4-MD5
[telnet]
accept = 23
connect = 10.36.3.144:4433
==========================

I would like to know if that is a known problem and the changes to make in my 
code to resolve the problem. (the *.c and *.h to change compared to
0.9.7d ; note that I can't use a patch
 because openssl server runs in a particular environment).



Thanks&Regards
Maddalena Pulcini


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]
problem with Negotiated ciphers: AES256-SHA

Reply via email to
