Hello Dave, Thank you for your response, yes I am using Ubuntu 12.0 and recently did a ubuntu openssl page upgrade and got ubuntu 1.0.1-4ubuntu5.14 installed
OpenSSL 1.0.1 14 Mar 2012 built on: Fri Jun 20 18:54:15 UTC 2014 platform: debian-amd64 As you pointed yes the server preference is set on the origin side. --David On Tue, Jul 22, 2014 at 9:17 AM, Dave Thompson <dthomp...@prinpay.com> wrote: > You can’t be running 1.0.1 as released; it doesn’t have > BLOCK_CIPHER_PAD_IS_WRONG > > in s3_pkt at all (instead in s3_enc and t1_enc) and doesn’t have > UNKNOWN_ALERT_TYPE > > at that line number. BLOCK_CIPHER_PAD is at 419 in 1.0.1e through g, and > > UNKNOWN_ALERT_TYPE shortly before (but not at) 1270 in 1.0.1 (original) > through g. > > > > Google finds https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742152 > > reporting (in March through May) 1408F081 and some other “shouldn’t happen” > errors > > but without source/line#s, against several Debian-patched builds of 1.0.1e. > > Are you using a Debian or Debian-derived build? If not, did you build it > yourself, > > and how, or who did? > > > > Also BTW: with HIGH (and nothing else added) !MD5 and !EXP are redundant. > > And moving to end exactly one of the several dozen (new) SHA2 suites > > doesn’t make particular sense. (+3DES makes some sense, because on > > many CPUs now 3DES is slower than AES and possibly less secure. > > Although this makes a difference only if server preference is set.) > > > > *From:* owner-openssl-us...@openssl.org [ > mailto:owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org>] *On > Behalf Of *davidsnt > *Sent:* Monday, July 21, 2014 07:03 > *To:* openssl-users > *Subject:* Openssl SSL3_GET_RECORD:block cipher pad is wrong > > > > Hi, > > I recently changed my cipher ordering on my web server to drop RC4 support > and currently I have > HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:+ECDHE-RSA-AES128-SHA256:+3DES > on my Origin. > > On the other side my proxy load balancer which acts as the reverse proxy > supports the following cipher suites RC4:HIGH:!aNULL:!MD5 > > > > Both the origin server and proxy runs the same openssl version > > OpenSSL 1.0.1 14 Mar 2012 > > I see the following errors on my origin server logs from when I changed > the cipher suit to > HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:+ECDHE-RSA-AES128-SHA256:+3DES > > > > 07/16 08:29:23.712888 ssl_support.c:158 ssl[31473] ERR > (76:accept:[xxx.xxx.xxx.xx]:60004:443): OpenSSL Error 336130177 in > s3_pkt.c:410 is 'error:1408F081:SSL routines:SSL3_GET_RECORD:block cipher > pad is wrong' > > > 07/16 13:06:51.721824 ssl_support.c:158 ssl[16812] ERR > (105:accept:[xxx.xxx.xxx.xx]:44048:443): OpenSSL Error 336150774 in > s3_pkt.c:1270 is 'error:140940F6:SSL routines:SSL3_READ_BYTES:unknown alert > type' > > I couldn't find why these errors are triggred, can you please help me with > some information on the errors and let me know the best way to fix it. > > --David >
