> From: owner-openssl-us...@openssl.org On Behalf Of Harshvir Sidhu
> Sent: Tuesday, 12 April, 2011 15:13
> Just to add a note to my last question,
> I tried to use openssl.exe s_client -connect IP:PORT
> and it gives the following error message in that.
(reordered)
> verify error:num=18:self signed certificate
> verify return:1
> 236:error:140943FC:<snip>:sslv3 alert bad record mac:<snip>
> 236:error:140790E5:<snip>:.\ssl\s23_lib.c:177:
> I am using a self signed certificate so this first line makes sense,
> but why its giving this SSL alert number 20.
> Not able to find anything useful for this.
> I am trying to write the server side code using OpenSSL.
> I am getting the following error on SSL_Accept.
> error:1408F119:<snip>:decryption failed or bad record mac
s_client got the alert BECAUSE the server got the error.
The only real problem is that the server got the error.
> I tried to google on this, everywhere they were mentioning
> that there was some build error, which was fixed in 0.9.8 build,
> i am not sure about te sub version, but i am using 1.0.0.a.
> I also tried using SSL_CTX_check_private_key after i set my server
> certificate and key, and its returning 1.
There are two fundamental possibilities:
1. something else in your server is corrupting OpenSSL's data.
Do you have handshake callbacks e.g. verification, tempdh, etc?
Is server multithreaded? (Or less likely, using shared memory?)
Are you using nonblocking I/O with other code 'in between'?
2. the compiled code for OpenSSL does the cipher or MAC wrong.
This is rare, but can be caused by a compiler bug, or at least
a 'feature' that is unusual and unexpected by the developers,
so it tends to be specific to the compiler, target platform,
and build options especially whether assembler is used but
also things like optimization, PIC, etc.
+ are you sure you're using 1.0.0a? Linenumber 117 for 1408F119
does NOT match 1.0.0a official source but DOES match 1.0.0c.
+ did you build from source, or get a build from someone else?
What platform and options? What does openssl version -a say?
(Remembering that it may be false if the build was fiddled.)
Did you or the other builder do 'make test'?
+ do other clients, especially non-OpenSSL ones, cause the same
error on the server (and get a similar error on the client)?
Are OpenSSL client(s) the same OpenSSL build (and platform)?
+ exactly when does s_client get the error? I'd bet on Finished,
but to check, run with -state and -msg or -debug.
+ what ciphersuite is selected on s_client attempt? On other
clients that fail, or that work? What happens if you specify
a ciphersuite with different data-crypto or MAC?
+ if you run s_server from same build, with equivalent crypto
(key/cert, CAs, ciphersuites), does s_client work with it?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
