From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3b) Gecko/20030210 Description of problem: Since this openssl was released, we have been seeing a lot of May 16 16:06:56 venus stunnel[3641]: SSL_accept: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac errors (we are using stunnel for pop3). At first I put it down to outlook but now I have got an error while using mozilla. I think the problem is related to the RSA blinding See http://cvs.openssl.org/getfile?f=openssl/CHANGES Changes between 0.9.6i and 0.9.6j [10 Apr 2003] "Make RSA blinding thread-safe"... Version-Release number of selected component (if applicable): openssl-0.9.6b-32.7 How reproducible: Sometimes Steps to Reproduce: 1. Get 100 outlook clients using spop3 2. wait... Actual Results: May 16 16:06:56 venus stunnel[3640]: spopper connected from 123.145.5.156:1958 May 16 16:06:56 venus stunnel[3641]: spopper connected from 123.145.7.144:1374 May 16 16:06:56 venus stunnel[3640]: SSL_accept: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac May 16 16:06:56 venus stunnel[3641]: SSL_accept: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Expected Results: No errors. Additional info: It looks like this is a bug which has been fixed in 0.9.6j. Either upgrade openssl or backport the patch.
Same problem using ldapsearch with SSL: ldap_bind: Can't contact LDAP server additional info: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
There is openssl-0.9.7 in the current releases.
2.1AS only has openssl-0.9.6b-36 We have been using stunnel 4 for over 12 months and it is working reliably.
The thread safe RSA blinding was backported to openssl-0.9.6b-33.7 so later packages should be fine.