Re: [openssl-users] How to debug SSLV3_ALERT_BAD_RECORD_MAC

2017-04-26 Thread Viktor Dukhovni 

> On Apr 26, 2017, at 3:39 AM, Matt Caswell  wrote:
> 
> I'd start by looking at the end-to-end pipe between the client SSL/TLS
> stack and the server stack and validating that the records look sane and
> unchanged at each step.

Well before that, I'd try to find out what's different about the 1.0.2k
handshake, by comparing the negotiated protocol, ciphersuite and extensions
with those negotiated with the previous version used.

It would be appropriate to post which version of OpenSSL was used previously.
It is also important to make sure that the headers and dev libraries are from
the same 1.0.2 release and that the run-time libraries are in fact also from
1.0.2 (same patch level or higher).

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to debug SSLV3_ALERT_BAD_RECORD_MAC

2017-04-26 Thread Matt Caswell 


On 25/04/17 22:37, craig_we...@trendmicro.com wrote:
> We have recently upgraded our product to 1.0.2k.  We are getting this
> error on a packet sent to us from our browser-based user interface.  I
> really need some suggestions as to how to debug this problem.  I know it
> is in our code rather than OpenSSL but I have no idea how to dig into
> what is happening.

Is this a reproducible problem? Normally bad_record_mac would only occur
if there was some implementation issue in the SSL/TLS stack itself or if
something is corrupting the records after they have been generated by
the stack.

I'd start by looking at the end-to-end pipe between the client SSL/TLS
stack and the server stack and validating that the records look sane and
unchanged at each step.

If that doesn't pin-point the problem then you may need to dig a little
deeper. bad_record_mac can cover a multitude of sins. You need to figure
out what specific sin you are committing. If it was me I would be
instrumenting the OpenSSL code in this area to see what it thinks it is
barfing on. You might want to start with the tls1_enc() function in
ssl/t1_enc.c. If its a non-AEAD ciphersuite then you may need to look at
tls1_mac() too (also in ssl/t1_enc.c). Possibly parts of
ssl3_get_record() in ssl/s3_pkt.c

Hope that helps,

Matt



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How to debug SSLV3_ALERT_BAD_RECORD_MAC

2017-04-25 Thread craig_we...@trendmicro.com 
We have recently upgraded our product to 1.0.2k.  We are getting this error on 
a packet sent to us from our browser-based user interface.  I really need some 
suggestions as to how to debug this problem.  I know it is in our code rather 
than OpenSSL but I have no idea how to dig into what is happening.

[Image]


Craig Weeks | Sr. Software Developer, Support Response Team (SRT), Trend Micro 
Inc.

11305 Alterra Parkway, Austin, TX  78758


Securing Your Journey to the Cloud
www.trendmicro.com





TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users