possible relayd bug? intermittent SSL handshake errors SSL3_GET_FINISHED:digest check failed) , SSL3_GET_RECORD:decryption failed or bad record mac)

[Andres Salazar]

Hello,

I have a very simple relayd config:


## Macros
#
relayd_addr="xx.xx.xx.xx"
relayd_port="81"

web_port="80"
table <web_hosts> { xx.xx.xx.xx }

## Global Options
#
# Interval in seconds at which the back-end hosts
# will be checked (default: 10 seconds)
interval 10

# Timeout for back-end servers to respond. Set to
# 200 for local servers and around 1000 for servers
# on other subnets. (default: 200 milliseconds)
timeout 1000

# Number of child processes to run. (default: 5)
prefork 5

# Log state notifications after completed host
# checks. State can be up, down or unknown.
log updates

http protocol "httpfilter" {

   ### TCP performance options
    tcp { nodelay, sack, socket buffer 65536, backlog 100 }

   ### Return HTTP/HTML error pages
    return error

   ### allow logging of remote client ips to internal web servers
    header append "$REMOTE_ADDR" to "X-Forwarded-For"

   ### set Keep-Alive timeout to global timeout
    header change "Keep-Alive" to "$TIMEOUT"

   ### close connections upon receipt
    header change "Connection" to "close"

    ssl { sslv3, tlsv1, ciphers "HIGH:!ADH:!MD5", no sslv2 }
    ssl session cache disable

}

relay httpproxy {
    listen on $relayd_addr port $relayd_port ssl
    protocol "httpfilter"
    forward to <web_hosts> port $web_port mode loadbalance check icmp
}


Intermittently the client making requests to it get this error. 90% of
the time it works without errors.

(SSL: error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check
failed) while SSL handshaking to upstream, client:

THen also.. sometimes my client gets this error.. (this is more rare)

(SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or
bad record mac) while SSL handshaking to upstream, client:

I have started relayd -vv -n  and I dont get any errors.... BUT
sometimes for the last error mentioned I get this error in relayd:

SSL library error: httpproxy: relay_ssl_accept: error:140943FC:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad record mac



I have tried querying from the outside the relayd box directly with
this command:

openssl s_client -connect ip.of.relayd.box:81 -state -ssl3 -no_ssl2 -no_tls1

I have repeated that 100times and I never get any errors..


My remote client can GET  any other SSL website without any problem.

The cert installed in relayd is valid with the exception that it
doesnt match the hostname being asked for .. but that shouldnt be an
issue right??

Please help.

Andres