Then there’s two approaches and you can try either or both:
- get someone who can look at the Debian/Ubuntu version, which clearly differs from upstream. Maybe the Debian and/or Ubuntu packagers can help you. Maybe some other developer (though none has stepped forward here). Maybe you can get source and work on it yourself. - get “standard” source from www.openssl.org and build it yourself. (DON’T overwrite the package-managed version if at all possible; put yours somewhere else like your home dir or /var/mystuff. The config or Configure script has options for this.) If you can reproduce the problem with a standard version, this list and/or the OpenSSL devs can help. If the problem occurs only in the Debian/Ubuntu version, then you need someone who can look there specifically. Which isn’t me, sorry. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of davidsnt Sent: Tuesday, July 22, 2014 05:59 To: openssl-users Subject: Re: Openssl SSL3_GET_RECORD:block cipher pad is wrong Hello Dave, Thank you for your response, yes I am using Ubuntu 12.0 and recently did a ubuntu openssl page upgrade and got ubuntu 1.0.1-4ubuntu5.14 installed OpenSSL 1.0.1 14 Mar 2012 built on: Fri Jun 20 18:54:15 UTC 2014 platform: debian-amd64 As you pointed yes the server preference is set on the origin side. --David On Tue, Jul 22, 2014 at 9:17 AM, Dave Thompson <dthomp...@prinpay.com> wrote: You can’t be running 1.0.1 as released; it doesn’t have BLOCK_CIPHER_PAD_IS_WRONG in s3_pkt at all (instead in s3_enc and t1_enc) and doesn’t have UNKNOWN_ALERT_TYPE at that line number. BLOCK_CIPHER_PAD is at 419 in 1.0.1e through g, and UNKNOWN_ALERT_TYPE shortly before (but not at) 1270 in 1.0.1 (original) through g. Google finds https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742152 reporting (in March through May) 1408F081 and some other “shouldn’t happen” errors but without source/line#s, against several Debian-patched builds of 1.0.1e. Are you using a Debian or Debian-derived build? If not, did you build it yourself, and how, or who did? Also BTW: with HIGH (and nothing else added) !MD5 and !EXP are redundant. And moving to end exactly one of the several dozen (new) SHA2 suites doesn’t make particular sense. (+3DES makes some sense, because on many CPUs now 3DES is slower than AES and possibly less secure. Although this makes a difference only if server preference is set.) From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of davidsnt Sent: Monday, July 21, 2014 07:03 To: openssl-users Subject: Openssl SSL3_GET_RECORD:block cipher pad is wrong Hi, I recently changed my cipher ordering on my web server to drop RC4 support and currently I have HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:+ECDHE-RSA-AES128-SHA256:+3DES on my Origin. On the other side my proxy load balancer which acts as the reverse proxy supports the following cipher suites RC4:HIGH:!aNULL:!MD5 Both the origin server and proxy runs the same openssl version OpenSSL 1.0.1 14 Mar 2012 I see the following errors on my origin server logs from when I changed the cipher suit to HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:+ECDHE-RSA-AES128-SHA256:+3DES 07/16 08:29:23.712888 ssl_support.c:158 ssl[31473] ERR (76:accept:[xxx.xxx.xxx.xx]:60004:443): OpenSSL Error 336130177 in s3_pkt.c:410 is 'error:1408F081:SSL routines:SSL3_GET_RECORD:block cipher pad is wrong' 07/16 13:06:51.721824 ssl_support.c:158 ssl[16812] ERR (105:accept:[xxx.xxx.xxx.xx]:44048:443): OpenSSL Error 336150774 in s3_pkt.c:1270 is 'error:140940F6:SSL routines:SSL3_READ_BYTES:unknown alert type' I couldn't find why these errors are triggred, can you please help me with some information on the errors and let me know the best way to fix it. --David
