From: Amnon Cohen <[EMAIL PROTECTED]> There are very few (if at all?) browsers that do TLS1 by default, as far as I remember.
This can be shown with s_client this way (Oscar, s_client does SSLv23 by default, just so you know :-)): openssl s_client -connect commerce.www.ibm.com:443 -no_tls1 Also, adding the flags '-state' and '-debug' gives you more output on what's really happening. amnonc> How do browsers manage to connect to these defective servers? amnonc> amnonc> Is there any way we can make OpenSSL emulate browser behaviour? amnonc> amnonc> Thanks amnonc> Amnon amnonc> amnonc> -----Original Message----- amnonc> From: Oscar Jacobsson [mailto:[EMAIL PROTECTED]] amnonc> Sent: Wednesday, October 10, 2001 7:42 PM amnonc> To: [EMAIL PROTECTED] amnonc> Cc: Amnon Cohen amnonc> Subject: Re: SSL3_GET_RECORD:bad mac decode on SSLv23 amnonc> amnonc> amnonc> Hi! amnonc> amnonc> I *think* the problem you are describing is actually on the server side. amnonc> amnonc> IIRC this is because your s_client by default will attempt to use TLS amnonc> 1.0 (SSL 3.1), which the server incorrectly parses as SSL 3.0 (ignoring amnonc> the minor version number). amnonc> amnonc> TLS 1, which s_client assumes both parties have agreed to use, uses a amnonc> different message authentication strategy than SSL 3.0, which is what amnonc> the server thinks has been agreed. amnonc> amnonc> Thus, the server ends up generating a MAC which s_client is not able to amnonc> verify, thus the error. amnonc> amnonc> If you explicitly tell s_client to only use SSL 2 or 3 this problem gets amnonc> worked around. amnonc> amnonc> I'd better apologize in advance in case I've got this wrong. :-) amnonc> amnonc> //oscar amnonc> amnonc> Amnon Cohen wrote: amnonc> > amnonc> > Hi, amnonc> > amnonc> > I am having trouble performing a SSLv23 handshake to a large number of amnonc> > servers amnonc> > e.g. amnonc> > amnonc> > OpenSSL> s_client -connect commerce.www.ibm.com:443 amnonc> > Loading 'screen' into random state - done amnonc> > CONNECTED(00000028) amnonc> > 497:error:1408F071:SSL routines:SSL3_GET_RECORD:bad mac amnonc> > decode:.\ssl\s3_pkt.c:383: amnonc> > amnonc> > with -ssl3 or ssl2, the connect succeeds. amnonc> > amnonc> > I have searched the archives and found this problem mentioned a number of amnonc> > times, amnonc> > but no explanation or solution. amnonc> > amnonc> > Is this a bug in the openssl client or in IBM's server. amnonc> > If it is a bug in openssl, is a fix planned? amnonc> > amnonc> > If it is a bug in IBM's server, is there an argument to SSL_set_options() amnonc> > which will work around this bug? amnonc> > amnonc> > Many Thanks! amnonc> > Amnon Cohen amnonc> > ______________________________________________________________________ amnonc> > OpenSSL Project http://www.openssl.org amnonc> > Development Mailing List [EMAIL PROTECTED] amnonc> > Automated List Manager [EMAIL PROTECTED] amnonc> ______________________________________________________________________ amnonc> OpenSSL Project http://www.openssl.org amnonc> Development Mailing List [EMAIL PROTECTED] amnonc> Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
