I am still getting these errors in my webserver logs. Can someone help me to solve this. On Jul 22, 2014 3:28 PM, "davidsnt" <david...@gmail.com> wrote:
> Hello Dave, > > Thank you for your response, yes I am using Ubuntu 12.0 and recently did a > ubuntu openssl page upgrade and got ubuntu 1.0.1-4ubuntu5.14 installed > > OpenSSL 1.0.1 14 Mar 2012 > built on: Fri Jun 20 18:54:15 UTC 2014 > platform: debian-amd64 > > As you pointed yes the server preference is set on the origin side. > > --David > > > On Tue, Jul 22, 2014 at 9:17 AM, Dave Thompson <dthomp...@prinpay.com> > wrote: > >> You can’t be running 1.0.1 as released; it doesn’t have >> BLOCK_CIPHER_PAD_IS_WRONG >> >> in s3_pkt at all (instead in s3_enc and t1_enc) and doesn’t have >> UNKNOWN_ALERT_TYPE >> >> at that line number. BLOCK_CIPHER_PAD is at 419 in 1.0.1e through g, and >> >> UNKNOWN_ALERT_TYPE shortly before (but not at) 1270 in 1.0.1 (original) >> through g. >> >> >> >> Google finds https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742152 >> >> reporting (in March through May) 1408F081 and some other “shouldn’t happen” >> errors >> >> but without source/line#s, against several Debian-patched builds of 1.0.1e. >> >> Are you using a Debian or Debian-derived build? If not, did you build it >> yourself, >> >> and how, or who did? >> >> >> >> Also BTW: with HIGH (and nothing else added) !MD5 and !EXP are redundant. >> >> And moving to end exactly one of the several dozen (new) SHA2 suites >> >> doesn’t make particular sense. (+3DES makes some sense, because on >> >> many CPUs now 3DES is slower than AES and possibly less secure. >> >> Although this makes a difference only if server preference is set.) >> >> >> >> *From:* owner-openssl-us...@openssl.org [ >> mailto:owner-openssl-us...@openssl.org <owner-openssl-us...@openssl.org>] >> *On Behalf Of *davidsnt >> *Sent:* Monday, July 21, 2014 07:03 >> *To:* openssl-users >> *Subject:* Openssl SSL3_GET_RECORD:block cipher pad is wrong >> >> >> >> Hi, >> >> I recently changed my cipher ordering on my web server to drop RC4 >> support and currently I have >> HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:+ECDHE-RSA-AES128-SHA256:+3DES >> on my Origin. >> >> On the other side my proxy load balancer which acts as the reverse proxy >> supports the following cipher suites RC4:HIGH:!aNULL:!MD5 >> >> >> >> Both the origin server and proxy runs the same openssl version >> >> OpenSSL 1.0.1 14 Mar 2012 >> >> I see the following errors on my origin server logs from when I changed >> the cipher suit to >> HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:+ECDHE-RSA-AES128-SHA256:+3DES >> >> >> >> 07/16 08:29:23.712888 ssl_support.c:158 ssl[31473] ERR >> (76:accept:[xxx.xxx.xxx.xx]:60004:443): OpenSSL Error 336130177 in >> s3_pkt.c:410 is 'error:1408F081:SSL routines:SSL3_GET_RECORD:block cipher >> pad is wrong' >> >> >> 07/16 13:06:51.721824 ssl_support.c:158 ssl[16812] ERR >> (105:accept:[xxx.xxx.xxx.xx]:44048:443): OpenSSL Error 336150774 in >> s3_pkt.c:1270 is 'error:140940F6:SSL routines:SSL3_READ_BYTES:unknown alert >> type' >> >> I couldn't find why these errors are triggred, can you please help me >> with some information on the errors and let me know the best way to fix it. >> >> --David >> > >
