Bug#678353: marked as done (openssl: SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:480)

Mon, 18 Mar 2013 14:06:19 -0700 

Your message dated Mon, 18 Mar 2013 21:03:52 +0000
with message-id <[email protected]>
and subject line Bug#678353: fixed in openssl 1.0.1e-2
has caused the Debian Bug report #678353,
regarding openssl: SSL3_GET_RECORD:decryption failed or bad record 
mac:s3_pkt.c:480
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
678353: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678353
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: openssl
Version: 1.0.1c-3
Severity: normal

Originally I was trying to do this:

  $ python
  >>> import urllib2
  >>> 
urllib2.urlopen("https://myrta.com/regcheck/pages/content/enterVehicleDetails.jsf";)
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/lib/python2.7/urllib2.py", line 126, in urlopen
      return _opener.open(url, data, timeout)
    File "/usr/lib/python2.7/urllib2.py", line 400, in open
      response = self._open(req, data)
    File "/usr/lib/python2.7/urllib2.py", line 418, in _open
      '_open', req)
    File "/usr/lib/python2.7/urllib2.py", line 378, in _call_chain
      result = func(*args)
    File "/usr/lib/python2.7/urllib2.py", line 1215, in https_open
      return self.do_open(httplib.HTTPSConnection, req)
    File "/usr/lib/python2.7/urllib2.py", line 1177, in do_open
      raise URLError(err)
  urllib2.URLError: <urlopen error [Errno 1] _ssl.c:504: error:1408F119:SSL 
routines:SSL3_GET_RECORD:decryption failed or bad record mac>

Tracing it back, I see python2.7 uses
/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0, so I tred this which
fails with the same error:

  $ openssl s_client -connect myrta.com:443
  CONNECTED(00000003)
  depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, 
OU = Certification Services Division, CN = Thawte Premium Server CA,
  emailAddress = [email protected]
  verify error:num=19:self signed certificate in certificate chain
  verify return:0
  140092995372712:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed 
or bad record mac:s3_pkt.c:480:
  ---
  Certificate chain
  0 s:/C=AU/ST=New South Wales/L=Sydney/O=Roads & Traffic Authority of New 
South Wales/OU=RTA/CN=myrta.com
    i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
  1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
    i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
  2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
    i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification 
Services Division/CN=Thawte Premium Server 
CA/[email protected]
  3 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification 
Services Division/CN=Thawte Premium Server 
CA/[email protected]
    i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification 
Services Division/CN=Thawte Premium Server 
CA/[email protected]
  ---
  Server certificate
  -----BEGIN CERTIFICATE-----
  MIIDdTCCAl2gAwIBAgIQLHaSJK5b0C6VDcLigNgAdTANBgkqhkiG9w0BAQUFADA8
  MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
  aGF3dGUgU1NMIENBMB4XDTEwMDcwNTAwMDAwMFoXDTEzMDcwNDIzNTk1OVowgZEx
  CzAJBgNVBAYTAkFVMRgwFgYDVQQIEw9OZXcgU291dGggV2FsZXMxDzANBgNVBAcU
  BlN5ZG5leTE1MDMGA1UEChQsUm9hZHMgJiBUcmFmZmljIEF1dGhvcml0eSBvZiBO
  ZXcgU291dGggV2FsZXMxDDAKBgNVBAsUA1JUQTESMBAGA1UEAxQJbXlydGEuY29t
  MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3n1XjueInNUMpCmkeFi3cJz0Q
  qown8uMZk1sH1ServbrmTXawz/lzSTJeeevG2UuhsNtZPRyEHXgCE5Nc1M+zIIZC
  XR2UhwpdTv7KCICM7oBZf5Vuvq9mcpr/2TeW1P2yQgJmWN5C313g355djW3Q2+f2
  25ez1/VoJR16un+hVwIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwOgYDVR0fBDMw
  MTAvoC2gK4YpaHR0cDovL3N2ci1vdi1jcmwudGhhd3RlLmNvbS9UaGF3dGVPVi5j
  cmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYw
  JDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTANBgkqhkiG9w0B
  AQUFAAOCAQEAOMW00EDDrP9gq1vDH1S9m0YgkVrorKCXd6/p7rE50L8MCrBC1vGc
  kh5AmymCeq6adjpM6LT4CRQvk8DagN+T0eRMH2IXaYmUjCX8DAedJ13cDd9Qrkvt
  KPTOyRMWHxjYdnQPNY0BmSCDgemO7BrBKzaHHEDE2AmBDli3/uk4ywFLBN/SNIEq
  WWvgjvfo5a4UWEi8iExFy4Crnli5Bz7IIWE+kK2VMjeFn1njfm9JSkKNr0Sz2l64
  N3W+D3s2Q8sKM1+GeCmzsB3O71Udp6iprQFYI9SrOVjljRniiWJKuQueuUevOtD4
  Ek7KUxBltihRh78oY72+06i6bpD01SrKQQ==
  -----END CERTIFICATE-----
  subject=/C=AU/ST=New South Wales/L=Sydney/O=Roads & Traffic Authority of New 
South Wales/OU=RTA/CN=myrta.com
  issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
  ---
  No client certificate CA names sent
  ---
  SSL handshake has read 4064 bytes and written 205 bytes
  ---
  New, TLSv1/SSLv3, Cipher is RC4-MD5
  Server public key is 1024 bit
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  SSL-Session:
      Protocol  : TLSv1
      Cipher    : RC4-MD5
      Session-ID: 
000039B7D44355DBF50A59F8A4F5049402D0B048585858584FE2863E000009E7
      Session-ID-ctx: 
      Master-Key: 
4C860E68617462AB0D15E06B1637A46640A2C3D61F802ECC714191A897DDCF46C6DB37F9089E623C9181FD246BE8455E
      Key-Arg   : None
      PSK identity: None
      PSK identity hint: None
      SRP username: None
      Start Time: 1340245567
      Timeout   : 300 (sec)
      Verify return code: 19 (self signed certificate in certificate chain)
  ---
  $ 

Iceweasel on the same box has no trouble with the URL given to
python.  On a squeeze amd64 box on the same LAN, executing the
above statements doesn't return any errors.

This has only happened with myrta.com.  https://www.google.com/ for
example works.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssl depends on:
ii  libc6        2.13-33
ii  libssl1.0.0  1.0.1c-3
ii  zlib1g       1:1.2.7.dfsg-11+b1

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20120212

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: openssl
Source-Version: 1.0.1e-2

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <[email protected]> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 18 Mar 2013 20:37:11 +0100
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc 
libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1e-2
Distribution: unstable
Urgency: high
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Kurt Roeckx <[email protected]>
Description: 
 libcrypto1.0.0-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl-doc - SSL development documentation documentation
 libssl1.0.0 - SSL shared libraries
 libssl1.0.0-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 678353 699692 701826 701868 702635 703031
Changes: 
 openssl (1.0.1e-2) unstable; urgency=high
 .
   * Bump shlibs.  It's needed for the udeb.
   * Make cpuid work on cpu's that don't set ecx (Closes: #699692)
   * Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, 
#678353)
   * Fix problem with DTLS version check (Closes: #701826)
   * Fix segfault in SSL_get_certificate (Closes: #703031)
Checksums-Sha1: 
 db5b2f5254177fd10516418f5aded10e41238584 2200 openssl_1.0.1e-2.dsc
 79aab42004fe748d787f350b696c97052d9844aa 92251 openssl_1.0.1e-2.debian.tar.gz
 a7db079df4c769b67dbd5596a0e12adaf297c828 1200002 libssl-doc_1.0.1e-2_all.deb
 c3e6d0bdf6164e3e518c9af7e6ff08561773b5f9 699076 openssl_1.0.1e-2_amd64.deb
 82a3e215f953998c48e203627141ec62af447aac 1218956 libssl1.0.0_1.0.1e-2_amd64.deb
 6509fcf58f0f98eecb6972e39d7e44bb66da1cd6 605098 
libcrypto1.0.0-udeb_1.0.1e-2_amd64.udeb
 01def5b417c11f3ce6e164a9063c1c5cbf8bc2a8 1705096 libssl-dev_1.0.1e-2_amd64.deb
 b069075875842f52f3cab26635201400c474ae86 3015378 
libssl1.0.0-dbg_1.0.1e-2_amd64.deb
Checksums-Sha256: 
 86aa7e7bc7d048d2ebb98fcbbdb01d06a05f457c9c68a562cbe4b144656d6cae 2200 
openssl_1.0.1e-2.dsc
 878e82daa896ef1db74f6cc6b6c4ce29d34b0add8f92fae91f84e533920c3b08 92251 
openssl_1.0.1e-2.debian.tar.gz
 45c9c36d33a147fd35ebef984f7f3401bfd7b83531844f30e4c90fb29fb93bf5 1200002 
libssl-doc_1.0.1e-2_all.deb
 13628ca20e97451494ac1132c0ba7ec6f3f9b56071b38df429eaaa5f37afe2c1 699076 
openssl_1.0.1e-2_amd64.deb
 972b929a114764c8da4adceac6151004ad3a69eb55316c688fa5b3e53b2dd626 1218956 
libssl1.0.0_1.0.1e-2_amd64.deb
 e1953379849a16ef11d7487133dd19098f04b1fc4f775f6210d2544a8b9c6f65 605098 
libcrypto1.0.0-udeb_1.0.1e-2_amd64.udeb
 6b05d5c3ae00b8e9c0cab78e5f4961d90e5359e6354a15e1ac91472bcf05d973 1705096 
libssl-dev_1.0.1e-2_amd64.deb
 a72311458460461937ed9264a839612183f35c44b8575e7324d34396b4ca2e54 3015378 
libssl1.0.0-dbg_1.0.1e-2_amd64.deb
Files: 
 197d7f46f2024a53c945c0dab1965e07 2200 utils optional openssl_1.0.1e-2.dsc
 efa47a7fb3d60798ac95d58776a3f0c7 92251 utils optional 
openssl_1.0.1e-2.debian.tar.gz
 7e8bec78d61c659eaba9480bfffe69b9 1200002 doc optional 
libssl-doc_1.0.1e-2_all.deb
 02e83e4a9c6284db8f5eee963ccf8a6b 699076 utils optional 
openssl_1.0.1e-2_amd64.deb
 4f16d78441d83f9da09be71f0eca09fa 1218956 libs important 
libssl1.0.0_1.0.1e-2_amd64.deb
 6864b5ac478d12fa3e9f9b1484c833bf 605098 debian-installer optional 
libcrypto1.0.0-udeb_1.0.1e-2_amd64.udeb
 082832d40ca3c858e0b668f54ecf9098 1705096 libdevel optional 
libssl-dev_1.0.1e-2_amd64.deb
 d43f4f7c37524a4165965e8407c720d2 3015378 debug extra 
libssl1.0.0-dbg_1.0.1e-2_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRR3AkAAoJEKGfLDAaVSLd5/wP/RqXQ7V6onckGb2VgMwo/bJz
GjtNmc2rWm4+Gqn7KfgWb27vygnVrv9KzXZCEHbUxfRXDS7x7gKE2m7IOWFGL6vG
T9kd1zAX5j2w2w+Nb5wCfGawdKxzr8fGFUwwgF5k6fhdyzZSZXD4y8yA4ys7DQ71
pUzmDDNojA0RoJdPyW2kUG5VW0Sz/XtfzRF/dlpkD+VVLVtPsrZd++7TWssKFEjL
Iq0SvBwb7j5oZRFJK45KNz0eWFS6yYP1t83J2Qdg7mzwsJi4IrLHRD0U6nRQ8xdE
jKJOrnZBJa4aUR8VQnuyAL42XXzi+leDCSUD1oecEuH89kIv/S2CAmP28ZVhcnl4
Czw3BOsv7ftEw6KreJ9rlF1+VRLmG/wvAIsw1gz8zrL7ZUXYX6HXintrwjHosE8i
Z0lDWhsAS5ZobB0SZViM4fMWzVQla1krIvC9E/e3Ys38Ko3QkJ3dSEjw5grEmgoi
jQPR1ctPlwg2MZ55BWDAGMjct589LqF+hYD2g5SuRWpL3XnwAgx1Fnrlh8JzNv9f
Cq35HVUCRB96qAJAP3fCSrGYLzbVVGNHgffHtIjuHFPhtE/5C++QXO8JIzUq9WyD
E6vlKhcEL21b6xLPiOESJ5a2cSAGX1E6xj+83/RPqSA6yl84zXegx08lOpKkoMr8
MqqZyphq42l4aMfpwHi3
=3a9s
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to