RE: [users@httpd] [External] Re: [users@httpd] Struggling with "decryption failed or bad record mac" error

Thu, 10 Jun 2021 09:31:22 -0700 

Hi,
        the only TLS available is TLS 1.2 and only 4 ciphers are configured:

# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

But the problem is randomic even with the same cipher used 
(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)

The certificate is from an official CA and it is configured on apache with 
Server cert, Intermediate and key. SSLLabs doesn't show any problem on it.


Thank you

Matteo

-----Original Message-----
From: Ran Mozes <ran.mo...@oracle.com> 
Sent: giovedì 10 giugno 2021 11:16
To: users@httpd.apache.org
Subject: Re: [users@httpd] [External] Re: [users@httpd] Struggling with 
"decryption failed or bad record mac" error

Hi Matteo,

sounds like various issues could be the root cause. Maybe a negotiation issue 
on the TLS version and/or the Ciphers used? 
Another option, the error "SSL3_GET_RECORD:decryption failed or bad record mac“ 
could also imply that something is wrong with the certificates being used.

HTH,
Ran 

> Am 09.06.2021 um 10:06 schrieb Piemonti, Matteo 
> <matteo.piemo...@accenture.com.INVALID>:
> 
> Hi,
>       has someone any suggestion about this topic?
> 
> 
> Thanks
> Matteo
> 
> -----Original Message-----
> From: Piemonti, Matteo
> Sent: lunedì 24 maggio 2021 09:56
> To: users@httpd.apache.org
> Subject: RE: [External] Re: [users@httpd] Struggling with "decryption 
> failed or bad record mac" error
> 
> Hi,
>       in my first message you can find many informations...
> The only TLS available is TLS 1.2 and the openssl version is OpenSSL 
> 1.0.2k-fips (the last one of RedHat 7.9), we have this random problem only 
> from a customer that is using .net. In my opinion it should be a client 
> problem but hard to demonstrate.
> Which specific directives do you want to see of httpd-ssl.conf?
> 
> 
> Matteo
> 
> -----Original Message-----
> From: Daniel Ferradal <dferra...@apache.org>
> Sent: domenica 23 maggio 2021 20:49
> To: <users@httpd.apache.org> <users@httpd.apache.org>
> Subject: [External] Re: [users@httpd] Struggling with "decryption 
> failed or bad record mac" error
> 
> This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with 
> links and attachments.
> 
> Hello,
> 
> Perhaps you may provide more info. Like the openssl version you are using, 
> your SSL related directives in your server, the openssl version or SSL 
> version of the client, the protocol the client is trying to use.
> 
> Also, is this happening with all clients? just one?
> 
> Can you reproduce it with "openssl s_client -connect" command? or even curl? 
> etc.
> 
> El vie, 21 may 2021 a las 12:25, Piemonti, Matteo
> (<matteo.piemo...@accenture.com.invalid>) escribió:
>> 
>> Hi,
>> 
>>              we’re having a weird error on Apache httpd server that I can’t 
>> understand how to troubleshoot it and not clear to me if it is an our 
>> problem (apache http server) or a problem of the caller.
>> 
>> 
>> 
>> We have actually this configuration:
>> 
>> 
>> 
>> Server version: Apache/2.4.46 (Unix)
>> 
>> Server built:   May 13 2021 05:46:31
>> 
>> Server's Module Magic Number: 20120211:93
>> 
>> Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
>> 
>> Compiled using: APR 1.6.5, APR-UTIL 1.6.1
>> 
>> Architecture:   64-bit
>> 
>> Server MPM:     event
>> 
>>  threaded:     yes (fixed thread count)
>> 
>>    forked:     yes (variable process count)
>> 
>> Server compiled with....
>> 
>> -D APR_HAS_SENDFILE
>> 
>> -D APR_HAS_MMAP
>> 
>> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>> 
>> -D APR_USE_SYSVSEM_SERIALIZE
>> 
>> -D APR_USE_PTHREAD_SERIALIZE
>> 
>> -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>> 
>> -D APR_HAS_OTHER_CHILD
>> 
>> -D AP_HAVE_RELIABLE_PIPED_LOGS
>> 
>> -D DYNAMIC_MODULE_LIMIT=256
>> 
>> -D HTTPD_ROOT="/data/apache2_frontend"
>> 
>> -D SUEXEC_BIN="/data/apache2_frontend/bin/suexec"
>> 
>> -D DEFAULT_PIDLOG="logs/httpd.pid"
>> 
>> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>> 
>> -D DEFAULT_ERRORLOG="logs/error_log"
>> 
>> -D AP_TYPES_CONFIG_FILE="conf/mime.types"
>> 
>> -D SERVER_CONFIG_FILE="conf/httpd.conf"
>> 
>> 
>> 
>> The problem we have is that during ssl handshake we can see (only with debug 
>> or tcpdump) an “SSL Library Error: error:1408F119:SSL 
>> routines:SSL3_GET_RECORD:decryption failed or bad record mac" into apache 
>> httpd error_log.
>> 
>> No other logs are written into access_log.
>> 
>> How is possible to troubleshoot it and understand where is the 
>> problem (caller? network? receiver?)
>> 
>> 
>> 
>> Some logs from trace:
>> 
>> 
>> 
>> [Wed May 12 17:52:04.134409 2021] [ssl:debug] [pid 10532:tid 
>> 140112100849408] ssl_engine_kernel.c(1741): [client ip:port] AH02275:
>> Certificate Verification, depth 2, CRL checking mode: none (0)
>> [subject: CN=etc etc etc]
>> 
>> [Wed May 12 17:52:04.134553 2021] [ssl:debug] [pid 10532:tid 
>> 140112100849408] ssl_engine_kernel.c(1741): [client ip:port] AH02275:
>> Certificate Verification, depth 1, CRL checking mode: none (0)
>> [subject: CN=etc etc etc]
>> 
>> [Wed May 12 17:52:04.134681 2021] [ssl:debug] [pid 10532:tid 
>> 140112100849408] ssl_engine_kernel.c(1741): [client ip:port] AH02275:
>> Certificate Verification, depth 0, CRL checking mode: none (0)
>> [subject: CN=etc etc etc]
>> 
>> [Wed May 12 17:52:04.134705 2021] [ssl:trace3] [pid 10532:tid 
>> 140112100849408] ssl_engine_kernel.c(2192): [client ip:port] OpenSSL:
>> Loop: SSLv3 read client certificate A
>> 
>> [Wed May 12 17:52:04.138368 2021] [ssl:trace3] [pid 10532:tid 
>> 140112100849408] ssl_engine_kernel.c(2192): [client ip:port] OpenSSL:
>> Loop: SSLv3 read client key exchange A
>> 
>> [Wed May 12 17:52:04.138492 2021] [ssl:trace3] [pid 10532:tid 
>> 140112100849408] ssl_engine_kernel.c(2192): [client ip:port] OpenSSL:
>> Loop: SSLv3 read certificate verify A
>> 
>> [Wed May 12 17:52:04.138513 2021] [ssl:trace4] [pid 10532:tid 
>> 140112100849408] ssl_engine_io.c(2214): [client ip:port] OpenSSL: 
>> read
>> 5/5 bytes from BIO#7f6e2000ff60 [mem: 7f6e2c06f653]
>> 
>> [Wed May 12 17:52:04.138519 2021] [ssl:trace4] [pid 10532:tid 
>> 140112100849408] ssl_engine_io.c(2214): [client ip:port] OpenSSL: 
>> read
>> 1/1 bytes from BIO#7f6e2000ff60 [mem: 7f6e2c06f658]
>> 
>> [Wed May 12 17:52:04.138568 2021] [ssl:trace4] [pid 10532:tid 
>> 140112100849408] ssl_engine_io.c(2214): [client ip:port] OpenSSL: 
>> read
>> 5/5 bytes from BIO#7f6e2000ff60 [mem: 7f6e2c06f653]
>> 
>> [Wed May 12 17:52:04.138586 2021] [ssl:trace4] [pid 10532:tid 
>> 140112100849408] ssl_engine_io.c(2214): [client ip:port] OpenSSL: 
>> read
>> 40/40 bytes from BIO#7f6e2000ff60 [mem: 7f6e2c06f658]
>> 
>> [Wed May 12 17:52:04.138600 2021] [ssl:trace4] [pid 10532:tid 
>> 140112100849408] ssl_engine_io.c(2214): [client ip:port] OpenSSL:
>> write 7/7 bytes to BIO#7f6e20010f50 [mem: 7f6e3c03f763]
>> 
>> [Wed May 12 17:52:04.138607 2021] [core:trace6] [pid 10532:tid 
>> 140112100849408] core_filters.c(525): [client ip:port] will flush 
>> because of FLUSH bucket
>> 
>> [Wed May 12 17:52:04.138639 2021] [ssl:trace4] [pid 10532:tid 
>> 140112100849408] ssl_engine_io.c(2214): [client ip:port] OpenSSL:
>> write 7/7 bytes to BIO#7f6e20011d50 [mem: 7f6e20004950]
>> 
>> [Wed May 12 17:52:04.138669 2021] [core:trace6] [pid 10532:tid 
>> 140112100849408] core_filters.c(525): [client ip:port] will flush 
>> because of FLUSH bucket
>> 
>> [Wed May 12 17:52:04.138676 2021] [ssl:trace3] [pid 10532:tid 
>> 140112100849408] ssl_engine_kernel.c(2202): [client ip:port] OpenSSL:
>> Write: error
>> 
>> [Wed May 12 17:52:04.138680 2021] [ssl:trace3] [pid 10532:tid 
>> 140112100849408] ssl_engine_kernel.c(2221): [client ip:port] OpenSSL:
>> Exit: error in error
>> 
>> [Wed May 12 17:52:04.138690 2021] [ssl:info] [pid 10532:tid 
>> 140112100849408] [client ip:port] AH02008: SSL library error 1 in 
>> handshake (server server:port)
>> 
>> [Wed May 12 17:52:04.138711 2021] [ssl:info] [pid 10532:tid 
>> 140112100849408] SSL Library Error: error:1408F119:SSL 
>> routines:SSL3_GET_RECORD:decryption failed or bad record mac
>> 
>> [Wed May 12 17:52:04.138720 2021] [ssl:info] [pid 10532:tid 
>> 140112100849408] [client ip:port] AH01998: Connection closed to child
>> 448 with abortive shutdown (server server:port)
>> 
>> 
>> 
>> 
>> 
>> Thank you
>> 
>> 
>> 
>> Matteo Piemonti
>> 
>> 
>> ________________________________
>> 
>> This message is for the designated recipient only and may contain 
>> privileged, proprietary, or otherwise confidential information. If you have 
>> received it in error, please notify the sender immediately and delete the 
>> original. Any other use of the e-mail by you is prohibited. Where allowed by 
>> local law, electronic communications with Accenture and its affiliates, 
>> including e-mail and instant messaging (including content), may be scanned 
>> by our systems for the purposes of information security and assessment of 
>> internal compliance with Accenture policy. Your privacy is important to us. 
>> Accenture uses your personal data only in compliance with data protection 
>> laws. For further information on how Accenture processes your personal data, 
>> please see our privacy statement at 
>> https://urldefense.com/v3/__https://www.accenture.com/us-en/privacy-policy__;!!GqivPVa7Brio!LkdKE073puWHkllYkIw-HBlqBSie-_f0vB1U85VLJXIpEo9JOp-SkiPcnAQQbgc$
>>  .
>> _____________________________________________________________________
>> _
>> ________________
>> 
>> https://urldefense.com/v3/__http://www.accenture.com__;!!GqivPVa7Brio
>> !LkdKE073puWHkllYkIw-HBlqBSie-_f0vB1U85VLJXIpEo9JOp-SkiPcsqcg4QA$
> 
> 
> 
> --
> Daniel Ferradal
> HTTPD Project
> #httpd help at Libera.Chat
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 

B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  
X  ܚX KK[XZ[
 \ \  ][  X  ܚX P
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[
 \X K ܙ B

Reply via email to