[openssl-dev] [openssl.org #3851] bug report; error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
Gola, Shailender K
shailender.gola at verizon.com
Tue May 19 14:22:31 UTC 2015
I am reattaching previous communication for reference.
1) They are "not" two different platforms, merely same command executed for 2 different versions of openssl.. please see attachment 1 below. It is possible that 1.0.2a was configured use config where openssl picked defaults and 0.9.8g was build using "./Configure solaris-x86-cc"
2) I rebuilt 1.0.2a using "./Configure solaris-x86-cc" please see attachment 2 showing " platform: solaris-x86-cc " (which I had done before as well)... and executed the program, resulting in same ssl errors on server side (05-19 09:48:44.427 SSLERR: SSL_connect/accept problem > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record), and on client side (05-19 09:48:44.444 SSLERR: SSL_connect > error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac)
3) It is entirely possible that we may not be installing 1.0.2a correctly, for the system (please see attachment 1) for 32 bit, if so, please advise.
4) to your comment about "SHA2 may be broken" for newer version, sorry if I mislead you. Our purpose for upgrade was, as I stated originally, to be able to support SHA2 and TLS1.1/1.2. But with the newer version is producing errors (mentioned in #2 above) regardless of any types of certs used, SHA2 and otherwise.
5) as suggested by you, I have already installed openssl dropping optimization by altering openssl Makefile, along with dropping asm, compression, threads, etc . In the meanwhile I will repeat the tests dropping optimization from openssl and from the server program and will let you know. But if you think of any other scenario which might help in resolving the issue, please let me know.
Thanks
Shailender
========= attachment 1 =========
/home/v316509>system
SunOS uittqda1 5.10 Generic_148888-05 sun4u sparc SUNW,Sun-Fire-V240System = SunOS
Node = uittqda1
Release = 5.10
KernelID = Generic_148888-05
Machine = sun4u
BusType = <unknown>
Serial = <unknown>
Users = <unknown>
OEM# = 0
Origin# = 1
NumCPU = 2
/home/v316509>cd /home/v316509/ssl/openssl-1.0.2a/apps
/home/v316509/ssl/openssl-1.0.2a/apps>./openssl version -a
OpenSSL 1.0.2a 19 Mar 2015
built on: reproducible build, date unspecified
platform: solaris-sparcv9-cc
options: bn(64,32) rc4(ptr,char) des(ptr,risc1,16,long) idea(int) blowfish(ptr)
compiler: cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/local/ssl"
/home/v316509/ssl/openssl-1.0.2a/apps>cd /home/v336761/openssl/openssl-0.9.8g/apps
/home/v336761/openssl/openssl-0.9.8g/apps>./openssl version -a
OpenSSL 0.9.8g 19 Oct 2007
built on: Mon May 18 18:14:46 EDT 2015
platform: solaris-x86-cc
options: bn(64,32) md2(int) rc4(ptr,char) des(ptr,cisc,16,long) idea(int) blowfish(ptr)
compiler: cc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fast -O -Xa
OPENSSLDIR: "/home/v336761/openssl/openssl-0.9.8g"
/home/v336761/openssl/openssl-0.9.8g/apps>
========= attachment 2 =========
/home/v316509/ssl/openssl-1.0.2a/apps>./openssl version -a
OpenSSL 1.0.2a 19 Mar 2015
built on: reproducible build, date unspecified
platform: solaris-x86-cc
options: bn(64,32) rc4(ptr,char) des(ptr,cisc,16,long) idea(int) blowfish(ptr)
compiler: cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fast -xarch=generic -O -Xa
OPENSSLDIR: "/usr/local/ssl"
/home/v316509/ssl/openssl-1.0.2a/apps>
-----Original Message-----
From: Andy Polyakov via RT [mailto:rt at openssl.org]
Sent: Tuesday, May 19, 2015 7:49 AM
To: Gola, Shailender K
Cc: openssl-dev at openssl.org
Subject: Re: [openssl-dev] [openssl.org #3851] bug report; error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> Objective also is to pinpoint the problem to specific algorithm on
> specific platform. Mentioning two distinct platforms running different
> versions, like SPARC running 1.0.2 and x86 0.9.8g, does not make
> things clearer. You have to present evidence that directly supports
> given assumption, i.e. that 1.0.2 fails on SPARC.
Or course you probably mean to say that this is evidence that SHA2 appears to be broken on SPARC. In order to make trouble-shooting more structured it's appropriate to double-check and confirm this by testing different s_client -cipher against s_server running on SPARC. Then to spare time one can drop optimization level only for affected module by manually removing corresponding .o, modifying CFLAG in top Makefile and re-running make. This way only couple of files will be recompiled so you don't have to wait for complete build (which is rather slow on SPARC).
In other words, identify algorithm first, then experiment with compiler optimization levels.
========
Thanks for the timely response... below is version we are using. I also must point out that we are currently using 0.9.8g for several years, I tried to upgrade to .9.8zf, and several 1.0.x versions and had the same error. The "./Configure solaris-x86-cc" was used to install openssl. Also below is 0.9.8g version which is in use currently.
This is the version with issue (also 0.9.8zf and several 1.0.x has same errors)
/home/v316509/ssl/openssl-1.0.2a/apps>./openssl version -a OpenSSL 1.0.2a 19 Mar 2015 built on: reproducible build, date unspecified
platform: solaris-sparcv9-cc
options: bn(64,32) rc4(ptr,char) des(ptr,risc1,16,long) idea(int) blowfish(ptr)
compiler: cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/local/ssl"
/home/v316509/ssl/openssl-1.0.2a/apps>
This is the version in use with no issues :
/home/v336761/openssl/openssl-0.9.8g/apps>./openssl version -a
OpenSSL 0.9.8g 19 Oct 2007
built on: Mon May 18 18:14:46 EDT 2015
platform: solaris-x86-cc
options: bn(64,32) md2(int) rc4(ptr,char) des(ptr,cisc,16,long) idea(int) blowfish(ptr)
compiler: cc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fast -O -Xa
OPENSSLDIR: "/home/v336761/openssl/openssl-0.9.8g"
-----Original Message-----
From: Andy Polyakov via RT [mailto:rt at openssl.org]
Sent: Monday, May 18, 2015 4:55 PM
To: Gola, Shailender K
Cc: openssl-dev at openssl.org
Subject: Re: [openssl-dev] [openssl.org #3851] bug report; error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> I am getting following error connecting to a server running on Solaris 10 only from other platform (Linux, HP, Windows). Connection is dropped by Solaris server after 1408F119 error.
>
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record mac
>
> (this is also true in all other version which support SHA2 and
> TLS1/1.1/1.2, i.e. 0.9.8zf)
>
> client side gets : error:140943FC:SSL routines:ssl3_read_bytes:sslv3
> alert bad record mac
>
> All platforms are using openssl 1.0.2a.
Including SPARC Solaris one? Is it correctly understood? If so, you probably have compiled it yourself. In such case, which compiler and next question would be how do we know it's not a compiler bug? Or in other words question is if you can confirm that problem persists even if you drop optimization level [when compiling OpenSSL].
> There are no issues connecting to/from other platforms except to server running on Solaris.
>
> /home/v316509>cat /etc/release
> Solaris 10 11/06 s10s_u3wos_10 SPARC
> Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
> Use is subject to license terms.
> Assembled 14 November 2006
>
> /home/v316509>uname -a
> SunOS uittqda1 5.10 Generic_148888-05 sun4u sparc SUNW,Sun-Fire-V240
Provide even output from 'openssl version -a'.
More information about the openssl-dev
mailing list