Bug 90989 - stunnel fails with SSL_accept errors (decryption failed or bad record mac)
stunnel fails with SSL_accept errors (decryption failed or bad record mac)
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: openssl (Show other bugs)
2.1
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-05-16 02:56 EDT by John Newbigin
Modified: 2007-11-30 17:06 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-30 06:42:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Newbigin 2003-05-16 02:56:39 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3b) Gecko/20030210

Description of problem:
Since this openssl was released, we have been seeing a lot of
May 16 16:06:56 venus stunnel[3641]: SSL_accept: error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
errors (we are using stunnel for pop3).

At first I put it down to outlook but now I have got an error while using
mozilla.  I think the problem is related to the RSA blinding
See http://cvs.openssl.org/getfile?f=openssl/CHANGES
Changes between 0.9.6i and 0.9.6j  [10 Apr 2003]
"Make RSA blinding thread-safe"...

Version-Release number of selected component (if applicable):
openssl-0.9.6b-32.7

How reproducible:
Sometimes

Steps to Reproduce:
1. Get 100 outlook clients using spop3
2. wait...

    

Actual Results:  May 16 16:06:56 venus stunnel[3640]: spopper connected from
123.145.5.156:1958
May 16 16:06:56 venus stunnel[3641]: spopper connected from 123.145.7.144:1374
May 16 16:06:56 venus stunnel[3640]: SSL_accept: error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
May 16 16:06:56 venus stunnel[3641]: SSL_accept: error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac


Expected Results:  No errors.

Additional info:

It looks like this is a bug which has been fixed in 0.9.6j.  Either upgrade
openssl or backport the patch.
Comment 1 Julien Wajsberg 2003-07-02 07:31:37 EDT
Same problem using ldapsearch with SSL:

ldap_bind: Can't contact LDAP server
        additional info: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption
failed or bad record mac
Comment 2 Tomas Mraz 2005-02-04 09:56:48 EST
There is openssl-0.9.7 in the current releases.
Comment 3 John Newbigin 2005-02-06 17:15:15 EST
2.1AS only has openssl-0.9.6b-36

We have been using stunnel 4 for over 12 months and it is working
reliably.
Comment 4 Tomas Mraz 2005-03-30 06:42:04 EST
The thread safe RSA blinding was backported to openssl-0.9.6b-33.7 so later
packages should be fine.

Note You need to log in before you can comment on or make changes to this bug.