[stunnel-users] SSL alert (write): fatal: bad record mac

Hi all,

I was tried stunnel 4.0.9 compiled with Openssl 0.9.7g on Redhat ES 3.0 and got the telnets sessions disconnected with error messages in stunnel.log as below: SSL alert (write): fatal: bad record mac SSL_read: 1408F455: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

The same problem with stunnel 4.0.12 compiled with Openssl 0.9.8a Tried to disable the option socket = a:SO_REUSEADDR=0 in stunne server configuration file but still not help.

Thanks in advance for any help:

Full stunnel.log: -------------------- 2005.10.21 04:07:33 LOG5[19485:1]: stunnel 4.12 on i686-pc-linux-gnu UCONTEXT+POLL+IPv4+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005 2005.10.21 04:07:33 LOG7[19485:1]: Snagged 64 random bytes from /dev/urandom 2005.10.21 04:07:33 LOG7[19485:1]: RAND_status claims sufficient entropy for the PRNG 2005.10.21 04:07:33 LOG6[19485:1]: PRNG seeded successfully 2005.10.21 04:07:33 LOG7[19485:1]: Certificate: /usr/local/stunnel/etc/stunnel/stunnel.pem 2005.10.21 04:07:33 LOG7[19485:1]: Key file: /usr/local/stunnel/etc/stunnel/stunnel.pem 2005.10.21 04:07:33 LOG6[19485:1]: file ulimit = 1024 (can be changed with 'ulimit -n') 2005.10.21 04:07:33 LOG6[19485:1]: poll() used - no FD_SETSIZE limit for file descriptors 2005.10.21 04:07:33 LOG5[19485:1]: 500 clients allowed 2005.10.21 04:07:33 LOG7[19485:1]: FD 4 in non-blocking mode 2005.10.21 04:07:33 LOG7[19485:1]: FD 5 in non-blocking mode 2005.10.21 04:07:33 LOG7[19485:1]: FD 6 in non-blocking mode 2005.10.21 04:07:33 LOG7[19485:1]: SO_REUSEADDR option set on accept socket 2005.10.21 04:07:33 LOG7[19485:1]: telnets bound to 192.168.34.35:992 2005.10.21 04:07:33 LOG7[19486:1]: Created pid file /stunnel.pid 2005.10.21 04:07:33 LOG5[19487:1]: stunnel 4.12 on i686-pc-linux-gnu UCONTEXT+POLL+IPv4+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005 2005.10.21 04:07:33 LOG7[19487:1]: Snagged 64 random bytes from /dev/urandom 2005.10.21 04:07:33 LOG7[19487:1]: RAND_status claims sufficient entropy for the PRNG 2005.10.21 04:07:33 LOG6[19487:1]: PRNG seeded successfully 2005.10.21 04:07:33 LOG6[19487:1]: file ulimit = 1024 (can be changed with 'ulimit -n') 2005.10.21 04:07:33 LOG6[19487:1]: poll() used - no FD_SETSIZE limit for file descriptors 2005.10.21 04:07:33 LOG5[19487:1]: 500 clients allowed 2005.10.21 04:07:33 LOG7[19487:1]: FD 4 in non-blocking mode 2005.10.21 04:07:33 LOG7[19487:1]: FD 5 in non-blocking mode 2005.10.21 04:07:33 LOG7[19487:1]: FD 6 in non-blocking mode 2005.10.21 04:07:33 LOG7[19487:1]: SO_REUSEADDR option set on accept socket 2005.10.21 04:07:33 LOG7[19487:1]: soap bound to 127.0.0.1:44300 2005.10.21 04:07:33 LOG7[19488:1]: Created pid file /stunnel.pid 2005.10.21 04:09:30 LOG7[19486:1]: telnets accepted FD=7 from 65.94.188.47:60677 2005.10.21 04:09:30 LOG7[19486:1]: Creating a new context 2005.10.21 04:09:30 LOG7[19486:1]: Context 2 created 2005.10.21 04:09:30 LOG7[19486:2]: Context swap: 1 -> 2 2005.10.21 04:09:30 LOG7[19486:2]: telnets started 2005.10.21 04:09:30 LOG7[19486:2]: FD 7 in non-blocking mode 2005.10.21 04:09:30 LOG7[19486:2]: TCP_NODELAY option set on local socket 2005.10.21 04:09:30 LOG5[19486:2]: telnets connected from 65.94.188.47:60677 2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): before/accept initialization 2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 read client hello A 2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 write server hello A 2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 write certificate A 2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 write server done A 2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 flush data 2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 read client key exchange A 2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 read finished A 2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 write change cipher spec A 2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 write finished A 2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 flush data 2005.10.21 04:09:30 LOG7[19486:2]: 1 items in the session cache 2005.10.21 04:09:30 LOG7[19486:2]: 0 client connects (SSL_connect()) 2005.10.21 04:09:30 LOG7[19486:2]: 0 client connects that finished 2005.10.21 04:09:30 LOG7[19486:2]: 0 client renegotiatations requested 2005.10.21 04:09:30 LOG7[19486:2]: 1 server connects (SSL_accept()) 2005.10.21 04:09:30 LOG7[19486:2]: 1 server connects that finished 2005.10.21 04:09:30 LOG7[19486:2]: 0 server renegotiatiations requested 2005.10.21 04:09:30 LOG7[19486:2]: 0 session cache hits 2005.10.21 04:09:30 LOG7[19486:2]: 0 session cache misses 2005.10.21 04:09:30 LOG7[19486:2]: 0 session cache timeouts 2005.10.21 04:09:30 LOG6[19486:2]: SSL accepted: new session negotiated 2005.10.21 04:09:30 LOG6[19486:2]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 2005.10.21 04:09:30 LOG7[19486:2]: FD 8 in non-blocking mode 2005.10.21 04:09:30 LOG7[19486:2]: telnets connecting 127.0.0.1:23 2005.10.21 04:09:30 LOG7[19486:2]: connect_wait: waiting 10 seconds 2005.10.21 04:09:30 LOG7[19486:2]: connect_wait: connected 2005.10.21 04:09:30 LOG7[19486:2]: Remote FD=8 initialized 2005.10.21 04:09:30 LOG7[19486:2]: TCP_NODELAY option set on remote socket 2005.10.21 04:09:31 LOG7[19488:1]: soap accepted FD=7 from 127.0.0.1:37120 2005.10.21 04:09:31 LOG7[19488:1]: Creating a new context 2005.10.21 04:09:31 LOG7[19488:1]: Context 2 created 2005.10.21 04:09:31 LOG7[19488:2]: Context swap: 1 -> 2 2005.10.21 04:09:31 LOG7[19488:2]: soap started 2005.10.21 04:09:31 LOG7[19488:2]: FD 7 in non-blocking mode 2005.10.21 04:09:31 LOG7[19488:2]: TCP_NODELAY option set on local socket 2005.10.21 04:09:31 LOG5[19488:2]: soap connected from 127.0.0.1:37120 2005.10.21 04:09:31 LOG7[19488:2]: FD 8 in non-blocking mode 2005.10.21 04:09:31 LOG7[19488:2]: soap connecting 199.84.230.35:443 2005.10.21 04:09:31 LOG7[19488:2]: connect_wait: waiting 10 seconds 2005.10.21 04:09:31 LOG7[19488:2]: connect_wait: connected 2005.10.21 04:09:31 LOG7[19488:2]: Remote FD=8 initialized 2005.10.21 04:09:31 LOG7[19488:2]: TCP_NODELAY option set on remote socket 2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): before/connect initialization 2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 write client hello A 2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 read server hello A 2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 read server certificate A 2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 read server key exchange A 2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 read server done A 2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 write client key exchange A 2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 write change cipher spec A 2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 write finished A 2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 flush data 2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 read finished A 2005.10.21 04:09:31 LOG7[19488:2]: 1 items in the session cache 2005.10.21 04:09:31 LOG7[19488:2]: 1 client connects (SSL_connect()) 2005.10.21 04:09:31 LOG7[19488:2]: 1 client connects that finished 2005.10.21 04:09:31 LOG7[19488:2]: 0 client renegotiatations requested 2005.10.21 04:09:31 LOG7[19488:2]: 0 server connects (SSL_accept()) 2005.10.21 04:09:31 LOG7[19488:2]: 0 server connects that finished 2005.10.21 04:09:31 LOG7[19488:2]: 0 server renegotiatiations requested 2005.10.21 04:09:31 LOG7[19488:2]: 0 session cache hits 2005.10.21 04:09:31 LOG7[19488:2]: 0 session cache misses 2005.10.21 04:09:31 LOG7[19488:2]: 0 session cache timeouts 2005.10.21 04:09:31 LOG6[19488:2]: SSL connected: new session negotiated 2005.10.21 04:09:31 LOG6[19488:2]: Negotiated ciphers: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 2005.10.21 04:09:31 LOG7[19488:2]: SSL_read returned WANT_READ: retrying 2005.10.21 04:09:31 LOG7[19488:2]: SSL_read returned WANT_READ: retrying 2005.10.21 04:09:31 LOG7[19488:2]: SSL alert (read): warning: close notify 2005.10.21 04:09:31 LOG7[19488:2]: SSL closed on SSL_read 2005.10.21 04:09:31 LOG7[19488:2]: Socket write shutdown 2005.10.21 04:09:31 LOG7[19488:2]: SSL write shutdown 2005.10.21 04:09:31 LOG7[19488:2]: SSL alert (write): warning: close notify 2005.10.21 04:09:31 LOG6[19488:2]: SSL_shutdown successfully sent close_notify 2005.10.21 04:09:31 LOG7[19488:2]: Socket closed on read 2005.10.21 04:09:31 LOG5[19488:2]: Connection closed: 818 bytes sent to SSL, 4558 bytes sent to socket 2005.10.21 04:09:31 LOG7[19488:2]: soap finished (0 left) 2005.10.21 04:09:31 LOG5[19488:2]: stack_info: size=65536, current=9560 (14%), maximum=9560 (14%) 2005.10.21 04:09:31 LOG7[19488:2]: Context 2 closed 2005.10.21 04:09:45 LOG7[19486:2]: SSL alert (write): fatal: bad record mac 2005.10.21 04:09:45 LOG3[19486:2]: SSL_read: 1408F455: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac 2005.10.21 04:09:45 LOG5[19486:2]: Connection reset: 4313 bytes sent to SSL, 232 bytes sent to socket 2005.10.21 04:09:45 LOG7[19486:2]: telnets finished (0 left) 2005.10.21 04:09:45 LOG5[19486:2]: stack_info: size=65536, current=9560 (14%), maximum=9560 (14%) 2005.10.21 04:09:45 LOG7[19486:2]: Context 2 closed

_________________________________________________________________ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI... Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.