Hi, Any help on this is greatly appreciated. I have not seen any reply to this issue so far, on even how to debug or workaround this issue.
Thanks, R. Sairam From: Sairam Rangaswamy -X (sairanga - ARICENT TECHNOLOGIES MAURIITIUS LIMITED at Cisco) Sent: 02 February 2014 14:18 To: '[email protected]' Subject: bac record mac alert with openssl 1.0.1e Hi, I am using openssl 1.0.1e based statically linked libraries on a Vxworks based platform. We recently upgraded to fom 4.1 from fom 3.0 along with openssl 1.0.1e. The embedded node is running this vxworks based library and has a java based application packaged On the node. We connect to the node from browser(IE or Firefox) and it downloads the jar files from The node and executes on the desktop. Initially it is a https connection, and jar files get downloaded and launched on the desktop. The app Itself then sets up an SSL connection to the node and the app is used for managing the node. We get random bad record mac errors (both in wire shark capture and reported by the browser or java console) In any of the stages. I went through the bugs and mailing list archieves and found couple of issues and applied those patches. But it is still giving random bad record MAC errors. http://rt.openssl.org/Ticket/Display.html?id=3002&user=guest&pass=guest - Later I realized we are not executing on a AES-NI supported platform and this patch only applies to AESNI capable x86/amd platforms. Then, I followed another thread that discussed a prolem in s3_cbc.c and baced out that patch also. Please see https://mailman.archlinux.org/pipermail/arch-commits/2013-February/187691.html But still I am facing random bad record mac errors and connection terminates. Sometimes, I am not able To connect to the node from any desktop browser. Sometimes, other machines connect and only the machine >From where I see the problem does not connect. The behaviour is completely >random and sometimes it works fine Without any SSL alerts. I enabled the Err_put_error macro on FIPS (FOM 4.1) and I see these two errors on the node console: : rsa_pk1.c: 192rsa_eay.c: 671. Even with these errors, the SSL is successful sometimes and the node is working fine. >From the code, I see this returns -1, and could result in bad record macs? But >this is during RSA_private_decrypt and Not during message decrypt. The ciphers we use are TLS 1.1 RSA_AES_128 and RSA_AES_256 ciphers. Another input Is this problem is seen only when FIPS mode is enabled on the node. Any help on this is appreciated. We are in a critical release phase and hit this problem at the last minute. Thanks, R. Sairam
