I did a build with openssl-0.9.8-stable-SNAP-20060209 and the no-zlib option. I still find the same problem.
I'll investigate some of the other suggestions now.
Michael
On 2/8/06, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
Dr. Henson:
May I direct your attention to the thread entitled "RE: [openssl.org
#1204]: bad record mac because of wrong SSL_OP_TLS_BLOCK_PADDING_BUG
handling" on the openssl-dev list? It appears to be because of a zlib
size calculation change.
However, the specifics are slightly different between that case and this one.
-Kyle H
On 2/8/06, Dr. Stephen Henson <[EMAIL PROTECTED] > wrote:
> On Wed, Feb 08, 2006, Michael Smith wrote:
>
> >
> > A follow-up to my own post from last week. I've done some more digging -
> > hopefully this is enough for someone to offer some suggestions.
> >
> > I have been trying different versions of openssl with apache on solaris and
> > sun cc. With versions >= 0.9.7 (see below exact list of releases tested) I
> > get the following error when trying to connect with Firefox with SSL3:
> >
> > [Wed Feb 8 14:08:07 2006] [error] mod_ssl: SSL handshake failed (server
> > xxx:443, client 192.168.0.4) (OpenSSL library error follows)
> > [Wed Feb 8 14:08:07 2006] [error] OpenSSL: error:1408F455:SSL
> > routines:SSL3_GET_RECORD:decryption failed or bad record mac
> >
> > And the browser displays a popup saying "incorrect Message Authentication
> > Code"
> >
> > Note that there are no problems whatsoever with IE, and that I can also get
> > things to work fine if I set firefox or the web server not to use SSL3.
> >
> > The exact versions of openssl that I have tested are:
> >
> > * openssl-0.9.6b: works fine
> > * openssl-0.9.6m: works fine
> > * openssl-0.9.7a: fails
> > * openssl-0.9.7e: fails
> > * openssl-0.9.7i: fails
> > * openssl-0.9.8: fails
> > * openssl-0.9.8-stable-SNAP-20060131 : fails
> >
> > Any ideas would be greatfully received. Of course, using old versions of
> > openssl causes other problems ...
> >
>
> Firstly don't use apache for your tests instead use the OpenSSL s_server
> utility. If you include the -www option it will display a status page in a web
> browser if it works OK.
>
> You can also check various options out such as -bugs and -no_tls1 to see if
> that helps.
>
> If you created the certificates yourself check that the certificate chain you
> are using doesn't include duplicate serial numbers. This wont happen if you
> use the CA.pl command (be careful with 0.9.8 because it has a bug: use a
> recent snapshot instead). However there are numerous "cookbooks" out there of
> varying quality which use all manner of weird commands and can produce
> non-compliant certificates.
>
> It might be an idea to start with a fresh firefox certificate database when
> doing the tests. If you create a new profile you'll start with the default
> one.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
