Hi, someone could help me?
I am using stunnel (4.07) as ssl client (with libeay32.dll and libssl32.dll
version 0.9.7f) to do telnet to my router with ssl server (openssl 0.9.7d
source modified to run in my machine).
After protocol handshake I get this error:
SSL_read: 1408F455: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption
failed or bad record mac problem
Stunnel is configured in this way:
==========================
client = yes
debug=7
cert=clcert.pem
[telnet]
accept = 23
connect = 10.36.3.144:4433
==========================
My router's configuration is:
==========================
-Verify 4
-cert cert.pem
==========================
The exchange of packets:
==========================
client sends=======> Client Hello
server sends======> Server Hello,Certificate, Certificate Request,Server
Hello Done
client sends======> Certificate, Client Key Exchange, Certificate
Verify, Change Cipher Spec, Encrypted Handshake Message
server sends=====> Change Cipher Spec, Encrypted Handshake Message and
then Application Data.
After sending a number of Application Data by the server, client sends
Encrypted Alert and closes the connection.
Having debug on stunnel client I can see:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2005.03.15 11:13:44 LOG5[2040:3964]: stunnel 4.07 on x86-pc-mingw32-gnu
WIN32+IPv6 with OpenSSL 0.9.8-dev XX xxx XXXX
2005.03.15 11:13:44 LOG7[2040:2376]: Snagged 64 random bytes from C:/.rnd
2005.03.15 11:13:44 LOG7[2040:2376]: Wrote 1024 new random bytes to C:/.rnd
2005.03.15 11:13:44 LOG7[2040:2376]: RAND_status claims sufficient entropy for
the PRNG
2005.03.15 11:13:44 LOG6[2040:2376]: PRNG seeded successfully
2005.03.15 11:13:44 LOG7[2040:2376]: Certificate: clcert.pem
2005.03.15 11:13:44 LOG7[2040:2376]: Key file: clcert.pem
2005.03.15 11:13:44 LOG5[2040:2376]: No limit detected for the number of clients
2005.03.15 11:13:44 LOG7[2040:2376]: FD 188 in non-blocking mode
2005.03.15 11:13:44 LOG7[2040:2376]: SO_REUSEADDR option set on accept socket
2005.03.15 11:13:44 LOG7[2040:2376]: telnet bound to 0.0.0.0:23
2005.03.15 11:13:54 LOG7[2040:2376]: telnet accepted FD=192 from 127.0.0.1:1589
2005.03.15 11:13:54 LOG7[2040:2376]: FD 192 in non-blocking mode
2005.03.15 11:13:54 LOG7[2040:2376]: Creating a new thread
2005.03.15 11:13:54 LOG7[2040:2376]: New thread created
2005.03.15 11:13:54 LOG7[2040:3588]: telnet started
2005.03.15 11:13:54 LOG5[2040:3588]: telnet connected from 127.0.0.1:1589
2005.03.15 11:13:54 LOG7[2040:3588]: FD 224 in non-blocking mode
2005.03.15 11:13:54 LOG7[2040:3588]: telnet connecting 10.36.3.144:4433
2005.03.15 11:13:54 LOG7[2040:3588]: connect_wait: waiting 10 seconds
2005.03.15 11:13:54 LOG7[2040:3588]: connect_wait: connected
2005.03.15 11:13:54 LOG7[2040:3588]: Remote FD=224 initialized
2005.03.15 11:13:54 LOG7[2040:3588]: SSL state (connect): before/connect
initialization
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write client
hello A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server
hello A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server
certificate A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server
certificate request A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server
done A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write client
certificate A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write client
key exchange A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write
certificate verify A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write change
cipher spec A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write finished A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 flush data
2005.03.15 11:14:26 LOG7[2040:3588]: SSL state (connect): SSLv3 read finished A
2005.03.15 11:14:26 LOG7[2040:3588]: 1 items in the session cache
2005.03.15 11:14:26 LOG7[2040:3588]: 1 client connects (SSL_connect())
2005.03.15 11:14:26 LOG7[2040:3588]: 1 client connects that finished
2005.03.15 11:14:26 LOG7[2040:3588]: 0 client renegotiatations requested
2005.03.15 11:14:26 LOG7[2040:3588]: 0 server connects (SSL_accept())
2005.03.15 11:14:26 LOG7[2040:3588]: 0 server connects that finished
2005.03.15 11:14:26 LOG7[2040:3588]: 0 server renegotiatiations requested
2005.03.15 11:14:26 LOG7[2040:3588]: 0 session cache hits
2005.03.15 11:14:26 LOG7[2040:3588]: 0 session cache misses
2005.03.15 11:14:26 LOG7[2040:3588]: 0 session cache timeouts
2005.03.15 11:14:26 LOG6[2040:3588]: SSL connected: new session negotiated
2005.03.15 11:14:26 LOG6[2040:3588]: Negotiated ciphers: AES256-SHA
SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
2005.03.15 11:14:41 LOG7[2040:3588]: SSL alert (write): fatal: bad record mac
2005.03.15 11:14:41 LOG3[2040:3588]: SSL_read: 1408F455: error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
2005.03.15 11:14:41 LOG5[2040:3588]: Connection reset: 17 bytes sent to SSL,
190 bytes sent to socket
2005.03.15 11:14:41 LOG7[2040:3588]: telnet finished (0 left)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
If I choise another kind of cipher it works fine; for example I use this
configuration
==========================
client = yes
debug=7
cert=clcert.pem
ciphers = RC4-MD5
[telnet]
accept = 23
connect = 10.36.3.144:4433
==========================
I would like to know if that is a known problem and the changes to make in my
code to resolve the problem. (the *.c and *.h to change compared to
0.9.7d ; note that I can't use a patch
because openssl server runs in a particular environment).
Thanks&Regards
Maddalena Pulcini
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
