SSL error after machine restart.

2013-07-31 Thread Rajeev Tomar 
Hi

We are using openssl 0.9.8 in our application.
Things are working fine and suddenly we are having .

Linux awtah.dispatchserver1 3.6.11-1.fc16.i686 #1 SMP Mon Dec 17 21:36:23 UTC 
2012 i686 i686 i386 GNU/Linux

error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record 
mac:s3_pkt.c:426:
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:288:
error:1408F096:SSL routines:SSL3_GET_RECORD:encrypted length too 
long:s3_pkt.c:346:

this error was random.
Even though application uses it's own opnesssl 0.9.8 and M/C have 1.0.0j-fips.
-bash-4.2# openssl version -a
OpenSSL 1.0.0j-fips 10 May 2012
built on: Tue May 15 18:44:01 UTC 2012
platform: linux-elf
options:  bn(64,32) md2(int) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT 
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe 
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4  -m32 -march=i686 -mtune=atom 
-fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_BN_ASM_PART_WORDS 
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM 
-DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: /etc/pki/tls
engines:  aesni dynamic

On reinstalling 1.0.0j-fips on this Machine error got fixed.


Now for the same application on Fedora 14, after reboot we have encountered the 
above problem.
Linux 3UPCAWT605 2.6.35.6-45.fc14.i686 #1 SMP Mon Oct 18 23:56:17 UTC 2010 i686 
i686 i386 GNU/Linux

Any pointer what is the root cause of this problem or how to fix this.
Open SSL installed on second M/C
built on: Wed Sep  7 18:59:14 UTC 2011
platform: linux-elf
options:  bn(64,32) md2(int) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT 
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe 
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom 
-fasynchronous-unwind-tables -Wa,--noexecstack -DOPENSSL_BN_ASM_PART_WORDS 
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM 
-DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: /etc/pki/tls
engines:  aesni dynamic

Is there any configuration changes need to be done/service need to be restarted.
With Regards
Rajeev Tomar

Team Automation
Turning Possibilities Into Realites






===
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===

Re: SSL error after machine restart.

2013-07-31 Thread Jakob Bohm 

On 31-07-2013 11:16, Rajeev Tomar wrote:

Hi

We are using openssl 0.9.8 in our application.
Things are working fine and suddenly we are having .
Linux awtah.dispatchserver1 3.6.11-1.fc16.i686 #1 SMP Mon Dec 17 
21:36:23 UTC 2012 i686 i686 i386 GNU/Linux
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad 
record mac:s3_pkt.c:426:
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version 
number:s3_pkt.c:288:
error:1408F096:SSL routines:SSL3_GET_RECORD:encrypted length too 
long:s3_pkt.c:346:

this error was random.
Even though application uses it’s own opnesssl 0.9.8 and M/C have 
1.0.0j-fips.

Two things to check:

- Use the command cut -c 50- /proc/pid/maps | uniq (Change 50 to 74
on 64-bit kernels) to make sure your application is not loading a dynamic
libcrypt or libssl anyway.

- If your application uses the shared certificate trust store in
/etc/ssl/certs, note that OpenSSL 1 and OpenSSL 0.9 use incompatible
formats for the symlinks in that directory, so either you need to use
a different directory for your OpenSSL 0.9 applications or you need
some special tricks to set up a combined directory.


-bash-4.2# openssl version -a
OpenSSL 1.0.0j-fips 10 May 2012
built on: Tue May 15 18:44:01 UTC 2012
platform: linux-elf
options: bn(64,32) md2(int) rc4(8x,mmx) des(ptr,risc1,16,long) 
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO 
-Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 
-mtune=atom -fasynchronous-unwind-tables -Wa,--noexecstack 
-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM 
-DWHIRLPOOL_ASM

OPENSSLDIR: /etc/pki/tls
engines: aesni dynamic
On reinstalling 1.0.0j-fips on this Machine error got fixed.
Now for the same application on Fedora 14, after reboot we have 
encountered the above problem.
Linux 3UPCAWT605 2.6.35.6-45.fc14.i686 #1 SMP Mon Oct 18 23:56:17 UTC 
2010 i686 i686 i386 GNU/Linux

Any pointer what is the root cause of this problem or how to fix this.
Open SSL installed on second M/C
built on: Wed Sep 7 18:59:14 UTC 2011
platform: linux-elf
options: bn(64,32) md2(int) rc4(8x,mmx) des(ptr,risc1,16,long) 
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO 
-Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 
-mtune=atom -fasynchronous-unwind-tables -Wa,--noexecstack 
-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM 
-DWHIRLPOOL_ASM

OPENSSLDIR: /etc/pki/tls
engines: aesni dynamic



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org