[jira] [Commented] (TS-3424) SSL error: SSL3_GET_RECORD:decryption failed or bad record mac

Thu, 12 Mar 2015 01:41:31 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14356970#comment-14356970
 ] 

Sudheer Vinukonda commented on TS-3424:
---------------------------------------

[~briang]: Can you try the below patch that clears the error queue in the 
current thread before performing an ssl i/o? 

>From {{https://www.openssl.org/docs/ssl/SSL_get_error.html}}:

"In addition to ssl and ret, SSL_get_error() inspects the current thread's 
OpenSSL error queue. Thus, SSL_get_error() must be used in the same thread that 
performed the TLS/SSL I/O operation, and no other OpenSSL function calls should 
appear in between. The current thread's error queue must be empty before the 
TLS/SSL I/O operation is attempted, or SSL_get_error() will not work reliably."

{code}
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 3033fcc..4e58d02 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1889,6 +1889,7 @@ SSLWriteBuffer(SSL * ssl, const void * buf, int64_t 
nbytes, int64_t& nwritten)
     return SSL_ERROR_NONE;
   }
 
+  ERR_clear_error();
   int ret = SSL_write(ssl, buf, (int)nbytes);
   if (ret > 0) {
     nwritten = ret;
@@ -1911,6 +1912,7 @@ SSLReadBuffer(SSL * ssl, void * buf, int64_t nbytes, 
int64_t& nread)
     return SSL_ERROR_NONE;
   }
 
+  ERR_clear_error();
   int ret = SSL_read(ssl, buf, (int)nbytes);
   if (ret > 0) {
     nread = ret;
@@ -1923,6 +1925,7 @@ SSLReadBuffer(SSL * ssl, void * buf, int64_t nbytes, 
int64_t& nread)
 ssl_error_t
 SSLAccept(SSL * ssl)
 {
+  ERR_clear_error();
   int ret = SSL_accept(ssl);
   if (ret > 0) {
     return SSL_ERROR_NONE;
@@ -1934,6 +1937,7 @@ SSLAccept(SSL * ssl)
 ssl_error_t
 SSLConnect(SSL * ssl)
 {
+  ERR_clear_error();
   int ret = SSL_connect(ssl);
   if (ret > 0) {
     return SSL_ERROR_NONE;
{code}

> SSL error: SSL3_GET_RECORD:decryption failed or bad record mac
> --------------------------------------------------------------
>
>                 Key: TS-3424
>                 URL: https://issues.apache.org/jira/browse/TS-3424
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Core, SSL
>            Reporter: Brian Geffon
>            Assignee: Brian Geffon
>             Fix For: 6.0.0
>
>         Attachments: ts-3424-2.diff, ts-3424-3.diff, ts-3424-for-52-2.diff, 
> ts-3424-for-52.diff, ts-3424.diff, undo-handshake-buffer.diff
>
>
> Starting with 5.2.x we're seeing SSL_ERROR_SSL type errors in 
> {{ssl_read_from_net}}, when calling OpenSSL's {{ERR_error_string_n}} we see 
> the error is {{1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad 
> record mac}}. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to