ssl3_get_record:decryption failed on some machines

Fernando Gutierrez Mendez fergtm at
Mon Nov 18 18:44:54 UTC 2019


I wrote an application that uses OpenSSL (1.1.1) and for the past couple of weeks I have been unable to solve a very strange issue.

I use non-blocking IO with a SSL BIO so a call to BIO_read eventually returns -1, when this happens I call BIO_should_retry to test if this is due an error or because of the underlying non-blocking transport.

This code works correctly but after transferring between 1Mb to 5Mb (it varies every time) BIO_should_rety returns false and SSL_get_error returns SSL_ERROR_SSL. The error is "139964546914112:error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac:../ssl/record/ssl3_record.c:677"

The very strange thing is that this code has been working correctly and transferring several Gb without any issues on a couple of machines. I started getting the error in a virtual machine from a popular VPS provider that uses AMD CPUs and in one physical machine using an older Intel CPU.

Works correctly on:
Intel Celeron CPU J1800
Virtual Machine on Intel Core i7-5820K
Virtual Machine on Intel Xeon E5-2697

Fails every time on:
Intel Pentium G2020T
Virtual Machine on AMD EPYC 7601

All machines are using "OpenSSL 1.1.1  11 Sep 2018" on "Ubuntu 18.04.3 LTS"

Things I tried:

-	Playing with OPENSSL_ia32cap to force disable PCLMULQDQ/AES-NI, this makes no difference
-	Running my app under valgrind. It does not report any error but the problem does not reproduce
-	Instead of using the distro provided build I downloaded and compiled from, it also made no difference

I understand this could be a bug in my code but I cant figure out why it only happens on some machines.

Any help is appreciated.


More information about the openssl-users mailing list