Hello, Perhaps you could try specifying only RSA ciphers just as a test. Most times I have found issues with old clients, specially java 1.6 ones and older they have issues with all sorts of Diffie Hellman exchanges.
On another note, openssl 1.0.2 is EOL , perhaps you should try to compile 1.1.1 and compile 2.4.46 against it first. Cheers El jue, 10 jun 2021 a las 18:31, Piemonti, Matteo (<matteo.piemo...@accenture.com.invalid>) escribió: > > Hi, > the only TLS available is TLS 1.2 and only 4 ciphers are configured: > > # TLS 1.2 (suites in server-preferred order) > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > But the problem is randomic even with the same cipher used > (TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) > > The certificate is from an official CA and it is configured on apache with > Server cert, Intermediate and key. SSLLabs doesn't show any problem on it. > > > Thank you > > Matteo > > -----Original Message----- > From: Ran Mozes <ran.mo...@oracle.com> > Sent: giovedì 10 giugno 2021 11:16 > To: users@httpd.apache.org > Subject: Re: [users@httpd] [External] Re: [users@httpd] Struggling with > "decryption failed or bad record mac" error > > Hi Matteo, > > sounds like various issues could be the root cause. Maybe a negotiation issue > on the TLS version and/or the Ciphers used? > Another option, the error "SSL3_GET_RECORD:decryption failed or bad record > mac“ could also imply that something is wrong with the certificates being > used. > > HTH, > Ran > > > Am 09.06.2021 um 10:06 schrieb Piemonti, Matteo > > <matteo.piemo...@accenture.com.INVALID>: > > > > Hi, > > has someone any suggestion about this topic? > > > > > > Thanks > > Matteo > > > > -----Original Message----- > > From: Piemonti, Matteo > > Sent: lunedì 24 maggio 2021 09:56 > > To: users@httpd.apache.org > > Subject: RE: [External] Re: [users@httpd] Struggling with "decryption > > failed or bad record mac" error > > > > Hi, > > in my first message you can find many informations... > > The only TLS available is TLS 1.2 and the openssl version is OpenSSL > > 1.0.2k-fips (the last one of RedHat 7.9), we have this random problem only > > from a customer that is using .net. In my opinion it should be a client > > problem but hard to demonstrate. > > Which specific directives do you want to see of httpd-ssl.conf? > > > > > > Matteo > > > > -----Original Message----- > > From: Daniel Ferradal <dferra...@apache.org> > > Sent: domenica 23 maggio 2021 20:49 > > To: <users@httpd.apache.org> <users@httpd.apache.org> > > Subject: [External] Re: [users@httpd] Struggling with "decryption > > failed or bad record mac" error > > > > This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with > > links and attachments. > > > > Hello, > > > > Perhaps you may provide more info. Like the openssl version you are using, > > your SSL related directives in your server, the openssl version or SSL > > version of the client, the protocol the client is trying to use. > > > > Also, is this happening with all clients? just one? > > > > Can you reproduce it with "openssl s_client -connect" command? or even > > curl? etc. > > > > El vie, 21 may 2021 a las 12:25, Piemonti, Matteo > > (<matteo.piemo...@accenture.com.invalid>) escribió: > >> > >> Hi, > >> > >> we’re having a weird error on Apache httpd server that I > >> can’t understand how to troubleshoot it and not clear to me if it is an > >> our problem (apache http server) or a problem of the caller. > >> > >> > >> > >> We have actually this configuration: > >> > >> > >> > >> Server version: Apache/2.4.46 (Unix) > >> > >> Server built: May 13 2021 05:46:31 > >> > >> Server's Module Magic Number: 20120211:93 > >> > >> Server loaded: APR 1.6.5, APR-UTIL 1.6.1 > >> > >> Compiled using: APR 1.6.5, APR-UTIL 1.6.1 > >> > >> Architecture: 64-bit > >> > >> Server MPM: event > >> > >> threaded: yes (fixed thread count) > >> > >> forked: yes (variable process count) > >> > >> Server compiled with.... > >> > >> -D APR_HAS_SENDFILE > >> > >> -D APR_HAS_MMAP > >> > >> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > >> > >> -D APR_USE_SYSVSEM_SERIALIZE > >> > >> -D APR_USE_PTHREAD_SERIALIZE > >> > >> -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > >> > >> -D APR_HAS_OTHER_CHILD > >> > >> -D AP_HAVE_RELIABLE_PIPED_LOGS > >> > >> -D DYNAMIC_MODULE_LIMIT=256 > >> > >> -D HTTPD_ROOT="/data/apache2_frontend" > >> > >> -D SUEXEC_BIN="/data/apache2_frontend/bin/suexec" > >> > >> -D DEFAULT_PIDLOG="logs/httpd.pid" > >> > >> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > >> > >> -D DEFAULT_ERRORLOG="logs/error_log" > >> > >> -D AP_TYPES_CONFIG_FILE="conf/mime.types" > >> > >> -D SERVER_CONFIG_FILE="conf/httpd.conf" > >> > >> > >> > >> The problem we have is that during ssl handshake we can see (only with > >> debug or tcpdump) an “SSL Library Error: error:1408F119:SSL > >> routines:SSL3_GET_RECORD:decryption failed or bad record mac" into apache > >> httpd error_log. > >> > >> No other logs are written into access_log. > >> > >> How is possible to troubleshoot it and understand where is the > >> problem (caller? network? receiver?) > >> > >> > >> > >> Some logs from trace: > >> > >> > >> > >> [Wed May 12 17:52:04.134409 2021] [ssl:debug] [pid 10532:tid > >> 140112100849408] ssl_engine_kernel.c(1741): [client ip:port] AH02275: > >> Certificate Verification, depth 2, CRL checking mode: none (0) > >> [subject: CN=etc etc etc] > >> > >> [Wed May 12 17:52:04.134553 2021] [ssl:debug] [pid 10532:tid > >> 140112100849408] ssl_engine_kernel.c(1741): [client ip:port] AH02275: > >> Certificate Verification, depth 1, CRL checking mode: none (0) > >> [subject: CN=etc etc etc] > >> > >> [Wed May 12 17:52:04.134681 2021] [ssl:debug] [pid 10532:tid > >> 140112100849408] ssl_engine_kernel.c(1741): [client ip:port] AH02275: > >> Certificate Verification, depth 0, CRL checking mode: none (0) > >> [subject: CN=etc etc etc] > >> > >> [Wed May 12 17:52:04.134705 2021] [ssl:trace3] [pid 10532:tid > >> 140112100849408] ssl_engine_kernel.c(2192): [client ip:port] OpenSSL: > >> Loop: SSLv3 read client certificate A > >> > >> [Wed May 12 17:52:04.138368 2021] [ssl:trace3] [pid 10532:tid > >> 140112100849408] ssl_engine_kernel.c(2192): [client ip:port] OpenSSL: > >> Loop: SSLv3 read client key exchange A > >> > >> [Wed May 12 17:52:04.138492 2021] [ssl:trace3] [pid 10532:tid > >> 140112100849408] ssl_engine_kernel.c(2192): [client ip:port] OpenSSL: > >> Loop: SSLv3 read certificate verify A > >> > >> [Wed May 12 17:52:04.138513 2021] [ssl:trace4] [pid 10532:tid > >> 140112100849408] ssl_engine_io.c(2214): [client ip:port] OpenSSL: > >> read > >> 5/5 bytes from BIO#7f6e2000ff60 [mem: 7f6e2c06f653] > >> > >> [Wed May 12 17:52:04.138519 2021] [ssl:trace4] [pid 10532:tid > >> 140112100849408] ssl_engine_io.c(2214): [client ip:port] OpenSSL: > >> read > >> 1/1 bytes from BIO#7f6e2000ff60 [mem: 7f6e2c06f658] > >> > >> [Wed May 12 17:52:04.138568 2021] [ssl:trace4] [pid 10532:tid > >> 140112100849408] ssl_engine_io.c(2214): [client ip:port] OpenSSL: > >> read > >> 5/5 bytes from BIO#7f6e2000ff60 [mem: 7f6e2c06f653] > >> > >> [Wed May 12 17:52:04.138586 2021] [ssl:trace4] [pid 10532:tid > >> 140112100849408] ssl_engine_io.c(2214): [client ip:port] OpenSSL: > >> read > >> 40/40 bytes from BIO#7f6e2000ff60 [mem: 7f6e2c06f658] > >> > >> [Wed May 12 17:52:04.138600 2021] [ssl:trace4] [pid 10532:tid > >> 140112100849408] ssl_engine_io.c(2214): [client ip:port] OpenSSL: > >> write 7/7 bytes to BIO#7f6e20010f50 [mem: 7f6e3c03f763] > >> > >> [Wed May 12 17:52:04.138607 2021] [core:trace6] [pid 10532:tid > >> 140112100849408] core_filters.c(525): [client ip:port] will flush > >> because of FLUSH bucket > >> > >> [Wed May 12 17:52:04.138639 2021] [ssl:trace4] [pid 10532:tid > >> 140112100849408] ssl_engine_io.c(2214): [client ip:port] OpenSSL: > >> write 7/7 bytes to BIO#7f6e20011d50 [mem: 7f6e20004950] > >> > >> [Wed May 12 17:52:04.138669 2021] [core:trace6] [pid 10532:tid > >> 140112100849408] core_filters.c(525): [client ip:port] will flush > >> because of FLUSH bucket > >> > >> [Wed May 12 17:52:04.138676 2021] [ssl:trace3] [pid 10532:tid > >> 140112100849408] ssl_engine_kernel.c(2202): [client ip:port] OpenSSL: > >> Write: error > >> > >> [Wed May 12 17:52:04.138680 2021] [ssl:trace3] [pid 10532:tid > >> 140112100849408] ssl_engine_kernel.c(2221): [client ip:port] OpenSSL: > >> Exit: error in error > >> > >> [Wed May 12 17:52:04.138690 2021] [ssl:info] [pid 10532:tid > >> 140112100849408] [client ip:port] AH02008: SSL library error 1 in > >> handshake (server server:port) > >> > >> [Wed May 12 17:52:04.138711 2021] [ssl:info] [pid 10532:tid > >> 140112100849408] SSL Library Error: error:1408F119:SSL > >> routines:SSL3_GET_RECORD:decryption failed or bad record mac > >> > >> [Wed May 12 17:52:04.138720 2021] [ssl:info] [pid 10532:tid > >> 140112100849408] [client ip:port] AH01998: Connection closed to child > >> 448 with abortive shutdown (server server:port) > >> > >> > >> > >> > >> > >> Thank you > >> > >> > >> > >> Matteo Piemonti > >> > >> > >> ________________________________ > >> > >> This message is for the designated recipient only and may contain > >> privileged, proprietary, or otherwise confidential information. If you > >> have received it in error, please notify the sender immediately and delete > >> the original. Any other use of the e-mail by you is prohibited. Where > >> allowed by local law, electronic communications with Accenture and its > >> affiliates, including e-mail and instant messaging (including content), > >> may be scanned by our systems for the purposes of information security and > >> assessment of internal compliance with Accenture policy. Your privacy is > >> important to us. Accenture uses your personal data only in compliance with > >> data protection laws. For further information on how Accenture processes > >> your personal data, please see our privacy statement at > >> https://urldefense.com/v3/__https://www.accenture.com/us-en/privacy-policy__;!!GqivPVa7Brio!LkdKE073puWHkllYkIw-HBlqBSie-_f0vB1U85VLJXIpEo9JOp-SkiPcnAQQbgc$ > >> . > >> _____________________________________________________________________ > >> _ > >> ________________ > >> > >> https://urldefense.com/v3/__http://www.accenture.com__;!!GqivPVa7Brio > >> !LkdKE073puWHkllYkIw-HBlqBSie-_f0vB1U85VLJXIpEo9JOp-SkiPcsqcg4QA$ > > > > > > > > -- > > Daniel Ferradal > > HTTPD Project > > #httpd help at Libera.Chat > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB > [ X ܚX K K[XZ[ > \ \ ][ X ܚX P > \ X K ܙ B ܈ Y ] [ۘ[ [X[ K[XZ[ > \ \ Z [ > \ X K ܙ B -- Daniel Ferradal HTTPD Project #httpd help at Libera.Chat --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org