[openssl-users] Possible bug - SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER error in FireFox 44.0

Shaun Amyotte shaun.amyotte at gmail.com
Wed Feb 17 19:58:02 UTC 2016


Hello,

I'm hoping you could provide some assistance in diagnosing/investigating an
issue my users are experiencing with FireFox.  Our CDN is using
OpenSSL  1.0.1j-1.4.0.420.  In addition to the below, I did try contacting
Dr. Henson on this topic (his name was referenced in some of the old online
posts) but suspect he has other pressing matters to deal with.  I've
included the body of the message to him here:

--
I'd be thankful for you guidance in an issue I'm investigating.  The error
in the subject has been encountered at random by some of my users when
using Firefox.  In researching this issue I've come across a number of
dated articles/bits of information that suggest at one point there was a
bug in OpenSSL 0.9.8g that caused this error.

Since this is a client side error, I understand this may no longer be tied
to the original OpenSSL bug, however I was hoping to rule it out.  In doing
so I wanted to trace the changelist referenced in the firefox bug post @
https://bugzilla.mozilla.org/show_bug.cgi?id=430703 however it looks as
though the tranition to GitHub has since made the link obsolete.  The link
in question is http://cvs.openssl.org/chngview?cn=17098 and there is
reference to your involvement in this issue.

I've checked the release notes @
https://www.openssl.org/news/changelog.html#x35 between g to h and h to i
to see if I could get any details that way, but admittedly much of the ssl
jargon is greek to me.

Is there anything you could offer that would help me trace the change that
was implemented in 17098 ?
--

---------- Forwarded message ---------
From: Martin Thomson <mt at mozilla.com>
Date: Tue, Feb 16, 2016 at 5:40 PM
Subject: Re: SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER error in Firefox 44.0
To: mozilla's crypto code discussion list <dev-tech-crypto at lists.mozilla.org
>


Hi Shaun,

As the documentation suggests, this is very likely a server problem. We
have recently audited the NSS state machine and I think it would be
unlikely that this is a client issue.

I would definitely look at the servers. Old versions of openssl are full of
holes anyway.

If you are able to capture logs for an affected connection and share those
we might be able to help you diagnose the issue. Or maybe you can point us
at a public endpoint that reliably produces the error.

--Martin
On Feb 17, 2016 1:50 AM, "Shaun Amyotte" <shaun.amyotte at gmail.com> wrote:

> Hello,
>
> I initially posted this to support.mozilla.org @
>
>
https://support.mozilla.org/en-US/questions/1109175?utm_campaign=questions-reply&utm_medium=email&utm_source=notification
>
> who suggested I redirect this to the news group.
>
> Any assistance you could provide would be appreciated
> --
>
> The error in the subject has been encountered at random by some of my
users
> when using Firefox. In researching this issue I've come across a number of
> dated articles/bits of information that suggest at one point there was a
> bug in OpenSSL 0.9.8g that caused this error. We are running
> 1.0.1j-1.4.0.420
>
> Since this is a client side error, I understand this may no longer be tied
> to the original OpenSSL bug, however I was hoping to rule it out. In doing
> so I wanted to trace the changelist referenced in the firefox bug post @
> https://bugzilla.mozilla.org/show_bug.cgi?id=430703 however it looks as
> though the tranition to GitHub has since made the link obsolete. The link
> in question is http://cvs.openssl.org/chngview?cn=17098 and there is
> reference to your involvement in this issue.
>
> I have sent an email to one of the developers at OpenSSL who was
referenced
> in the links above but have not heard back. What I'm wondering is if there
> is any client side tracing/debugging I can enable to get more details on
> this issue?
>
> The error is referenced here but provides limited guidance beyond 'its a
> server side issue'
>
>
>
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/sslerr.html
>
> --
> --
> dev-tech-crypto mailing list
> dev-tech-crypto at lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
--
dev-tech-crypto mailing list
dev-tech-crypto at lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160217/0b3431e7/attachment.html>


More information about the openssl-users mailing list