ssl3_get_record:decryption failed on some machines
Fernando Gutierrez Mendez
fergtm at hyperion.io
Mon Nov 18 18:44:54 UTC 2019
Hi,
I wrote an application that uses OpenSSL (1.1.1) and for the past couple of weeks I have been unable to solve a very strange issue.
I use non-blocking IO with a SSL BIO so a call to BIO_read eventually returns -1, when this happens I call BIO_should_retry to test if this is due an error or because of the underlying non-blocking transport.
This code works correctly but after transferring between 1Mb to 5Mb (it varies every time) BIO_should_rety returns false and SSL_get_error returns SSL_ERROR_SSL. The error is "139964546914112:error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac:../ssl/record/ssl3_record.c:677"
The very strange thing is that this code has been working correctly and transferring several Gb without any issues on a couple of machines. I started getting the error in a virtual machine from a popular VPS provider that uses AMD CPUs and in one physical machine using an older Intel CPU.
Works correctly on:
Intel Celeron CPU J1800
Virtual Machine on Intel Core i7-5820K
Virtual Machine on Intel Xeon E5-2697
Fails every time on:
Intel Pentium G2020T
Virtual Machine on AMD EPYC 7601
All machines are using "OpenSSL 1.1.1 11 Sep 2018" on "Ubuntu 18.04.3 LTS"
Things I tried:
- Playing with OPENSSL_ia32cap to force disable PCLMULQDQ/AES-NI, this makes no difference
- Running my app under valgrind. It does not report any error but the problem does not reproduce
- Instead of using the distro provided build I downloaded and compiled from https://github.com/openssl/openssl/archive/OpenSSL_1_1_1d.tar.gz, it also made no difference
I understand this could be a bug in my code but I cant figure out why it only happens on some machines.
Any help is appreciated.
Thanks
More information about the openssl-users
mailing list