SSL_read: 1408F455: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac problem
Hi, someone could help me?
I am using stunnel (4.07) as ssl client to do telnet to my router with ssl server (openssl 0.9.7d).
Stunnel is configured in this way:
========================== client = yes
debug=7 cert=clcert.pem [telnet] accept = 23 connect = 10.36.3.144:4433 ==========================
My router's configuration is:
========================== -Verify 4 -cert cert.pem ==========================
The exchange of packets:
========================== client sends=======> Client Hello server sends======> Server Hello,Certificate, Certificate Request,Server Hello Done client sends======> Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
server sends=====> Change Cipher Spec, Encrypted Handshake Message and then Application Data.
After sending a number of Application Data by the server, client sends Encrypted Alert and closes the connection. Having debug on stunnel client I can see:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2005.03.15 11:13:44 LOG5[2040:3964]: stunnel 4.07 on x86-pc-mingw32-gnu WIN32+IPv6 with OpenSSL 0.9.8-dev XX xxx XXXX 2005.03.15 11:13:44 LOG7[2040:2376]: Snagged 64 random bytes from C:/.rnd 2005.03.15 11:13:44 LOG7[2040:2376]: Wrote 1024 new random bytes to C:/.rnd 2005.03.15 11:13:44 LOG7[2040:2376]: RAND_status claims sufficient entropy for the PRNG 2005.03.15 11:13:44 LOG6[2040:2376]: PRNG seeded successfully 2005.03.15 11:13:44 LOG7[2040:2376]: Certificate: clcert.pem 2005.03.15 11:13:44 LOG7[2040:2376]: Key file: clcert.pem 2005.03.15 11:13:44 LOG5[2040:2376]: No limit detected for the number of clients 2005.03.15 11:13:44 LOG7[2040:2376]: FD 188 in non-blocking mode 2005.03.15 11:13:44 LOG7[2040:2376]: SO_REUSEADDR option set on accept socket 2005.03.15 11:13:44 LOG7[2040:2376]: telnet bound to 0.0.0.0:23 2005.03.15 11:13:54 LOG7[2040:2376]: telnet accepted FD=192 from 127.0.0.1:1589 2005.03.15 11:13:54 LOG7[2040:2376]: FD 192 in non-blocking mode 2005.03.15 11:13:54 LOG7[2040:2376]: Creating a new thread 2005.03.15 11:13:54 LOG7[2040:2376]: New thread created 2005.03.15 11:13:54 LOG7[2040:3588]: telnet started 2005.03.15 11:13:54 LOG5[2040:3588]: telnet connected from 127.0.0.1:1589 2005.03.15 11:13:54 LOG7[2040:3588]: FD 224 in non-blocking mode 2005.03.15 11:13:54 LOG7[2040:3588]: telnet connecting 10.36.3.144:4433 2005.03.15 11:13:54 LOG7[2040:3588]: connect_wait: waiting 10 seconds 2005.03.15 11:13:54 LOG7[2040:3588]: connect_wait: connected 2005.03.15 11:13:54 LOG7[2040:3588]: Remote FD=224 initialized 2005.03.15 11:13:54 LOG7[2040:3588]: SSL state (connect): before/connect initialization 2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write client hello A 2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server hello A 2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server certificate A 2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server certificate request A 2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server done A 2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write client certificate A 2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write client key exchange A 2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write certificate verify A 2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write change cipher spec A 2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write finished A 2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 flush data 2005.03.15 11:14:26 LOG7[2040:3588]: SSL state (connect): SSLv3 read finished A 2005.03.15 11:14:26 LOG7[2040:3588]: 1 items in the session cache 2005.03.15 11:14:26 LOG7[2040:3588]: 1 client connects (SSL_connect()) 2005.03.15 11:14:26 LOG7[2040:3588]: 1 client connects that finished 2005.03.15 11:14:26 LOG7[2040:3588]: 0 client renegotiatations requested 2005.03.15 11:14:26 LOG7[2040:3588]: 0 server connects (SSL_accept()) 2005.03.15 11:14:26 LOG7[2040:3588]: 0 server connects that finished 2005.03.15 11:14:26 LOG7[2040:3588]: 0 server renegotiatiations requested 2005.03.15 11:14:26 LOG7[2040:3588]: 0 session cache hits 2005.03.15 11:14:26 LOG7[2040:3588]: 0 session cache misses 2005.03.15 11:14:26 LOG7[2040:3588]: 0 session cache timeouts 2005.03.15 11:14:26 LOG6[2040:3588]: SSL connected: new session negotiated 2005.03.15 11:14:26 LOG6[2040:3588]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2005.03.15 11:14:41 LOG7[2040:3588]: SSL alert (write): fatal: bad record mac 2005.03.15 11:14:41 LOG3[2040:3588]: SSL_read: 1408F455: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac 2005.03.15 11:14:41 LOG5[2040:3588]: Connection reset: 17 bytes sent to SSL, 190 bytes sent to socket 2005.03.15 11:14:41 LOG7[2040:3588]: telnet finished (0 left)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
This client is now running using an updated library: libeay32.dll obtained compiling openssl-SNAP-20050304 that seemed to be the solution of the problem (after searching on Internet I deduce that).
Not having solution to the problem, I know that my conclusion is not right. So if someone knows how to procede, please help me.
Thanks&Regards Maddalena Pulcini
-
Maddalena.Pulcini@seleniacomms.com