[stunnel-users] SSL_read: 1408F455: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac problem

Maddalena.Pulcini at seleniacomms.com Maddalena.Pulcini at seleniacomms.com
Tue Mar 15 12:38:46 CET 2005 

Hi, someone could help me?

I am using stunnel (4.07) as ssl client to do telnet to my router with ssl server (openssl 0.9.7d).

Stunnel is configured in this way:

==========================
client = yes

debug=7
cert=clcert.pem
[telnet]
accept = 23
connect = 10.36.3.144:4433
==========================

My router's configuration is:

==========================
-Verify 4
-cert cert.pem
==========================

The exchange of packets:

==========================
client sends=======>      Client Hello
server sends======>       Server Hello,Certificate, Certificate Request,Server Hello Done
client sends======>        Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message

server sends=====>         Change Cipher Spec, Encrypted Handshake Message and then Application Data.

After sending a number of Application Data by the server, client sends Encrypted Alert and closes the connection.
Having debug on stunnel client I can see:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2005.03.15 11:13:44 LOG5[2040:3964]: stunnel 4.07 on x86-pc-mingw32-gnu WIN32+IPv6 with OpenSSL 0.9.8-dev XX xxx XXXX
2005.03.15 11:13:44 LOG7[2040:2376]: Snagged 64 random bytes from C:/.rnd
2005.03.15 11:13:44 LOG7[2040:2376]: Wrote 1024 new random bytes to C:/.rnd
2005.03.15 11:13:44 LOG7[2040:2376]: RAND_status claims sufficient entropy for the PRNG
2005.03.15 11:13:44 LOG6[2040:2376]: PRNG seeded successfully
2005.03.15 11:13:44 LOG7[2040:2376]: Certificate: clcert.pem
2005.03.15 11:13:44 LOG7[2040:2376]: Key file: clcert.pem
2005.03.15 11:13:44 LOG5[2040:2376]: No limit detected for the number of clients
2005.03.15 11:13:44 LOG7[2040:2376]: FD 188 in non-blocking mode
2005.03.15 11:13:44 LOG7[2040:2376]: SO_REUSEADDR option set on accept socket
2005.03.15 11:13:44 LOG7[2040:2376]: telnet bound to 0.0.0.0:23
2005.03.15 11:13:54 LOG7[2040:2376]: telnet accepted FD=192 from 127.0.0.1:1589
2005.03.15 11:13:54 LOG7[2040:2376]: FD 192 in non-blocking mode
2005.03.15 11:13:54 LOG7[2040:2376]: Creating a new thread
2005.03.15 11:13:54 LOG7[2040:2376]: New thread created
2005.03.15 11:13:54 LOG7[2040:3588]: telnet started
2005.03.15 11:13:54 LOG5[2040:3588]: telnet connected from 127.0.0.1:1589
2005.03.15 11:13:54 LOG7[2040:3588]: FD 224 in non-blocking mode
2005.03.15 11:13:54 LOG7[2040:3588]: telnet connecting 10.36.3.144:4433
2005.03.15 11:13:54 LOG7[2040:3588]: connect_wait: waiting 10 seconds
2005.03.15 11:13:54 LOG7[2040:3588]: connect_wait: connected
2005.03.15 11:13:54 LOG7[2040:3588]: Remote FD=224 initialized
2005.03.15 11:13:54 LOG7[2040:3588]: SSL state (connect): before/connect initialization
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write client hello A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server hello A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server certificate A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server certificate request A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 read server done A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write client certificate A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write client key exchange A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write certificate verify A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write change cipher spec A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 write finished A
2005.03.15 11:13:55 LOG7[2040:3588]: SSL state (connect): SSLv3 flush data
2005.03.15 11:14:26 LOG7[2040:3588]: SSL state (connect): SSLv3 read finished A
2005.03.15 11:14:26 LOG7[2040:3588]:    1 items in the session cache
2005.03.15 11:14:26 LOG7[2040:3588]:    1 client connects (SSL_connect())
2005.03.15 11:14:26 LOG7[2040:3588]:    1 client connects that finished
2005.03.15 11:14:26 LOG7[2040:3588]:    0 client renegotiatations requested
2005.03.15 11:14:26 LOG7[2040:3588]:    0 server connects (SSL_accept())
2005.03.15 11:14:26 LOG7[2040:3588]:    0 server connects that finished
2005.03.15 11:14:26 LOG7[2040:3588]:    0 server renegotiatiations requested
2005.03.15 11:14:26 LOG7[2040:3588]:    0 session cache hits
2005.03.15 11:14:26 LOG7[2040:3588]:    0 session cache misses
2005.03.15 11:14:26 LOG7[2040:3588]:    0 session cache timeouts
2005.03.15 11:14:26 LOG6[2040:3588]: SSL connected: new session negotiated
2005.03.15 11:14:26 LOG6[2040:3588]: Negotiated ciphers: AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
2005.03.15 11:14:41 LOG7[2040:3588]: SSL alert (write): fatal: bad record mac
2005.03.15 11:14:41 LOG3[2040:3588]: SSL_read: 1408F455: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
2005.03.15 11:14:41 LOG5[2040:3588]: Connection reset: 17 bytes sent to SSL, 190 bytes sent to socket
2005.03.15 11:14:41 LOG7[2040:3588]: telnet finished (0 left)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

This client is now running using an updated library: libeay32.dll obtained compiling openssl-SNAP-20050304 that seemed to be the solution of the
problem (after searching on Internet I deduce that).

Not having solution to the problem, I know that my conclusion is not right. So if someone knows how to procede, please help me.



Thanks&Regards
Maddalena Pulcini

More information about the stunnel-users mailing list