You can’t be running 1.0.1 as released; it doesn’t have BLOCK_CIPHER_PAD_IS_WRONG
in s3_pkt at all (instead in s3_enc and t1_enc) and doesn’t have UNKNOWN_ALERT_TYPE at that line number. BLOCK_CIPHER_PAD is at 419 in 1.0.1e through g, and UNKNOWN_ALERT_TYPE shortly before (but not at) 1270 in 1.0.1 (original) through g. Google finds https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742152 reporting (in March through May) 1408F081 and some other “shouldn’t happen” errors but without source/line#s, against several Debian-patched builds of 1.0.1e. Are you using a Debian or Debian-derived build? If not, did you build it yourself, and how, or who did? Also BTW: with HIGH (and nothing else added) !MD5 and !EXP are redundant. And moving to end exactly one of the several dozen (new) SHA2 suites doesn’t make particular sense. (+3DES makes some sense, because on many CPUs now 3DES is slower than AES and possibly less secure. Although this makes a difference only if server preference is set.) From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of davidsnt Sent: Monday, July 21, 2014 07:03 To: openssl-users Subject: Openssl SSL3_GET_RECORD:block cipher pad is wrong Hi, I recently changed my cipher ordering on my web server to drop RC4 support and currently I have HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:+ECDHE-RSA-AES128-SHA256:+3DES on my Origin. On the other side my proxy load balancer which acts as the reverse proxy supports the following cipher suites RC4:HIGH:!aNULL:!MD5 Both the origin server and proxy runs the same openssl version OpenSSL 1.0.1 14 Mar 2012 I see the following errors on my origin server logs from when I changed the cipher suit to HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:+ECDHE-RSA-AES128-SHA256:+3DES 07/16 08:29:23.712888 ssl_support.c:158 ssl[31473] ERR (76:accept:[xxx.xxx.xxx.xx]:60004:443): OpenSSL Error 336130177 in s3_pkt.c:410 is 'error:1408F081:SSL routines:SSL3_GET_RECORD:block cipher pad is wrong' 07/16 13:06:51.721824 ssl_support.c:158 ssl[16812] ERR (105:accept:[xxx.xxx.xxx.xx]:44048:443): OpenSSL Error 336150774 in s3_pkt.c:1270 is 'error:140940F6:SSL routines:SSL3_READ_BYTES:unknown alert type' I couldn't find why these errors are triggred, can you please help me with some information on the errors and let me know the best way to fix it. --David
