[openssl-users] decrypt error

Scharfenberg, Carsten c.scharfenberg at francotyp.com
Thu Jan 24 09:19:03 UTC 2019

Hello everybody,

I've just joined this group because I hope you guys can help me with my problem.

I'm using haproxy 1.8.17 and openssl 1.1.1a from Debian testing to serve TLS 1.2 connections with client authentication.
The TLS handshake runs through fine. But then the server answers with a Decrypt Error Alert to the Finish message sent by the client.
How would I debug this error?
Is it possible that something is wrong with my certificates?

I've had a look into the source code. Unfortunately it's not so easy to read. It seems to me the alert is generated here:
ssl\statem\statem_lib.c:809 in function 'tls_process_finished' when the comparison of 'pkt' and 's->s3->tmp.peer_finish_md' fails.
Unfortunately I currently do not know what this means.

For detailed information I've appended a pcap file.

C. Scharfenberg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190124/97ead4f1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: decrpyt_error.pcap
Type: application/octet-stream
Size: 7359 bytes
Desc: decrpyt_error.pcap
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190124/97ead4f1/attachment-0001.obj>

More information about the openssl-users mailing list