[openssl-users] How to debug SSLV3_ALERT_BAD_RECORD_MAC

Viktor Dukhovni openssl-users at dukhovni.org
Wed Apr 26 13:17:04 UTC 2017

> On Apr 26, 2017, at 3:39 AM, Matt Caswell <matt at openssl.org> wrote:
> I'd start by looking at the end-to-end pipe between the client SSL/TLS
> stack and the server stack and validating that the records look sane and
> unchanged at each step.

Well before that, I'd try to find out what's different about the 1.0.2k
handshake, by comparing the negotiated protocol, ciphersuite and extensions
with those negotiated with the previous version used.

It would be appropriate to post which version of OpenSSL was used previously.
It is also important to make sure that the headers and dev libraries are from
the same 1.0.2 release and that the run-time libraries are in fact also from
1.0.2 (same patch level or higher).


More information about the openssl-users mailing list