Major OpenSSL 1.0.1d regression from 1.0.1c

Brad House Wed, 06 Feb 2013 09:37:23 -0800

It appears there is a major regression with OpenSSL 1.0.1d over
1.0.1c.  I've narrowed it down to setting a custom cipher
list I think as if I do not set a cipher list, the issue does
not occur.


I have reproduced the issue with the openssl s_server/s_client
command line utility.  You can see my full procedure below.

In short, it appears SSL negotiation succeeds, but as soon as
data is sent from the client to the server, the server spits
out:
67397216:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad 
record mac:s3_pkt.c:482:
And does NOT receive the data sent from the client side.

Infact, I'm seeing some very strange behavior indeed.  For
whatever reason, if I run it under valgrind, it consistently
gives that error (yet valgrind reports nothing), but if I do
NOT run it under valgrind, sometimes I receive CORRUPT data and
no error message is reported at all.

I should also note that currently I am using
OpenSSL 1.0.1d-fips 5 Feb 2013
On an Intel(R) Core(TM) i7-3770S CPU @ 3.10GHz running Ubuntu 12.04 64bit
(so presumably I'm using AES-NI ... noticed changes to that in the
changelog).

I have not yet tried to compile it in non-FIPS mode to rule
that out, but I am not running it in an active FIPS mode.  I
have reproduced this issue on Linux x64 and Windows x86 thus far,
I haven't tested it on any other system.



==================
CERTIFICATE GEN
==================
$ ./openssl genrsa 2048 > mycert.key
Generating RSA private key, 2048 bit long modulus
......+++
........................................................+++

$ ./openssl req -new -key mycert.key > mycert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Florida
Locality Name (eg, city) []:Gainesville
Organization Name (eg, company) [Internet Widgits Pty Ltd]:TEST
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

$ ./openssl req -x509 -key mycert.key -in mycert.csr > mycert.crt


==================
SERVER
==================
$ ./openssl s_server -cipher 'TLSv1+HIGH:@STRENGTH' -key ./mycert.key -cert 
./mycert.crt -no_ssl2 -no_ticket
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMDBALAFAQgont/MsqFPRiz/6fzhDSnmb5Cqw9V8oHUy68q6J1KFIsE
MLxPYXZPn/SKgGWxbiqLLJVmb+oNNvRNc6B/HpWl8zTs9TLTxVqiDdOft4OGH2XJ
jqEGAgRREpCKogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----

Sharedciphers:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:SRP-AES-256-CBC-SHA:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:AECDH-DES-CBC3-SHA:SRP-3DES-EDE-CBC-SHA:ADH-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:SRP-AES-128-CBC-SHA:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:CAMELLIA128-SHA

CIPHER is ECDHE-RSA-AES256-SHA
Secure Renegotiation IS supported
ERROR
67397216:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad 
record mac:s3_pkt.c:482:
shutting down SSL
CONNECTION CLOSED
ACCEPT


==================
CLIENT
==================
$ echo "Hello World" | ./openssl s_client -connect localhost:4433 -cipher 
'TLSv1+HIGH:@STRENGTH'
CONNECTED(00000003)
depth=0 C = US, ST = Florida, L = Gainesville, O = TEST, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Florida, L = Gainesville, O = TEST, CN = localhost
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Florida/L=Gainesville/O=TEST/CN=localhost
   i:/C=US/ST=Florida/L=Gainesville/O=TEST/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgzCCAmugAwIBAgIJAJKZKgvR+qGgMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRQwEgYDVQQHDAtHYWluZXN2aWxsZTEN
MAsGA1UECgwEVEVTVDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMDIwNjE3MTcw
OVoXDTEzMDMwODE3MTcwOVowWDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3Jp
ZGExFDASBgNVBAcMC0dhaW5lc3ZpbGxlMQ0wCwYDVQQKDARURVNUMRIwEAYDVQQD
DAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCy4O4w
/T7CvKf+nrzhn1ZESwHfvY9apKbWGHhAMbK42esZXAHo/kE9k54qx1u1K82ge0rF
/QVwJ5Qd3/yGG1ZgfMkpJienxQuch8V6WSq5Ampvj1ZHxAzHex2+9XB+Admfdhjh
fXBfIXasGxp/0iUUchhHMCHO7bWk28yUSDRkh+Kt7GRF5HP2y6Igmn7GditbCz38
FOdsb/ns8P/2VZw30im4rkKiYvNKUYnHgDXezYe69o6T1OL276Ft/czo1/qheadS
suCHLILAhf9wLUf8Gejlb/DUlLGXu6QGasxmHALZJxJLzECJtGPlnOxbG14LjruU
dZwbyOnEX+Ni75k9AgMBAAGjUDBOMB0GA1UdDgQWBBRAPjseYrwC3wLoq4EZ5E6Y
IXk1pzAfBgNVHSMEGDAWgBRAPjseYrwC3wLoq4EZ5E6YIXk1pzAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAvfdSZMnabV+kdBpuknMwuiBie3jXgrOmj
1EVPqsMK+NT7hZ/IoWq7btutG7ZJQJePrUXU9xg5eeyfyTe6emYUZhLIv1vlKhuC
ykgr/ZirZOCsGR+Tp4AW9BPM/7NdKM3tIMQRJbQmo54sb0huFDLjRV2HG8ByoT2k
9ibj165VhOfAYQ+sFyHSap7l7LXBFutjH2EWIHvXsv06NbZdTvu7moHo3AGsfxq8
4F9ftRExM5cDUNQ2zJ0VU6cBQs7jKTGIoOYdlqaB6Z8RwkgO2LjXzN4XIDW21IYH
OmyUIJypKpT5z7CZ6DYUlxtOQ/Nbdykn0pOu5i8HJ3zdafYkdyTH
-----END CERTIFICATE-----
subject=/C=US/ST=Florida/L=Gainesville/O=TEST/CN=localhost
issuer=/C=US/ST=Florida/L=Gainesville/O=TEST/CN=localhost
---
No client certificate CA names sent
---
SSL handshake has read 1439 bytes and written 401 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: A27B7F32CA853D18B3FFA7F38434A799BE42AB0F55F281D4CBAF2AE89D4A148B
    Session-ID-ctx:
    Master-Key: 
BC4F61764F9FF48A8065B16E2A8B2C95666FEA0D36F44D73A07F1E95A5F334ECF532D3C55AA20DD39FB783861F65C98E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1360171146
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
DONE


Thanks!
-Brad
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Major OpenSSL 1.0.1d regression from 1.0.1c

Reply via email to