Dr. Henson: May I direct your attention to the thread entitled "RE: [openssl.org #1204]: bad record mac because of wrong SSL_OP_TLS_BLOCK_PADDING_BUG handling" on the openssl-dev list? It appears to be because of a zlib size calculation change.
However, the specifics are slightly different between that case and this one. -Kyle H On 2/8/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > On Wed, Feb 08, 2006, Michael Smith wrote: > > > > > A follow-up to my own post from last week. I've done some more digging - > > hopefully this is enough for someone to offer some suggestions. > > > > I have been trying different versions of openssl with apache on solaris and > > sun cc. With versions >= 0.9.7 (see below exact list of releases tested) I > > get the following error when trying to connect with Firefox with SSL3: > > > > [Wed Feb 8 14:08:07 2006] [error] mod_ssl: SSL handshake failed (server > > xxx:443, client 192.168.0.4) (OpenSSL library error follows) > > [Wed Feb 8 14:08:07 2006] [error] OpenSSL: error:1408F455:SSL > > routines:SSL3_GET_RECORD:decryption failed or bad record mac > > > > And the browser displays a popup saying "incorrect Message Authentication > > Code" > > > > Note that there are no problems whatsoever with IE, and that I can also get > > things to work fine if I set firefox or the web server not to use SSL3. > > > > The exact versions of openssl that I have tested are: > > > > * openssl-0.9.6b: works fine > > * openssl-0.9.6m: works fine > > * openssl-0.9.7a: fails > > * openssl-0.9.7e: fails > > * openssl-0.9.7i: fails > > * openssl-0.9.8: fails > > * openssl-0.9.8-stable-SNAP-20060131: fails > > > > Any ideas would be greatfully received. Of course, using old versions of > > openssl causes other problems ... > > > > Firstly don't use apache for your tests instead use the OpenSSL s_server > utility. If you include the -www option it will display a status page in a web > browser if it works OK. > > You can also check various options out such as -bugs and -no_tls1 to see if > that helps. > > If you created the certificates yourself check that the certificate chain you > are using doesn't include duplicate serial numbers. This wont happen if you > use the CA.pl command (be careful with 0.9.8 because it has a bug: use a > recent snapshot instead). However there are numerous "cookbooks" out there of > varying quality which use all manner of weird commands and can produce > non-compliant certificates. > > It might be an idea to start with a fresh firefox certificate database when > doing the tests. If you create a new profile you'll start with the default > one. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
