decryption failed or bad record mac (was: tlsv1 alert decrypt error)

Mon, 06 Mar 2017 15:36:13 -0800 

Thanks for moving the thread to the correct place!

* Bob Beck [2017-03-06 15:49]:

And as joel mentioned, a fix is already arriving for this - there was a bug
in SSLv2 compatible handshake initiation,


Joel sent me a patch which appeared here:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ssl_packet.c.diff?r1=1.4&r2=1.5&sortby=date

And with this patch (I assume it's part of the most recent snapshot) the
error message got different

28 Feb snapshot: ACCEPT_SR_KEY_EXCH:tlsv1 alert decrypt error
Today's snapshot: ACCEPT_SR_CERT_VRFY:decryption failed or bad record mac

And as the error message is different now, I'm changing the subject to
get a new thread.

Either there a different fix which I'm still missing or this is
a completely new issue. In either case I'm happy to assist with
debugging this, I could even try to collect some packets.


and Paypal still has it enabled... (yeeeeeeuch)


On good side (for the project), I trigger new emails from PayPal by
sending some EUR to the foundation. I hope this won't delay the final
fix from coming! :)


On Mon, Mar 6, 2017 at 3:48 PM, Bob Beck <b...@obtuse.com> wrote:



Move it to tech@ from misc.. not libressl.. libressl is not special ;)

On Mon, Mar 6, 2017 at 3:21 PM, Kirill Miazine <k...@krot.org> wrote:


Moving to libressl@ from misc@, as it's a LibreSSL issue.

* Joel Sing [2017-03-05 23:01]:

On Thursday 02 March 2017 13:28:08 Kirill Miazine wrote:



Recently I've noticed a number of error messages in my Exim mail log:

    TLS error on connection from mx1.slc.paypal.com (mx0.slc.paypal.com
)
[173.0.84.226] \ (SSL_accept): error:1403741B:SSL
routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert decrypt error TLS client
disconnected cleanly (rejected our certificate?)



This is most likely the same issue as that reported on the libressl@
mailing
list a day or so ago - expect a fix to arrive shortly.



I rebuilt exim on latest snapshot (OpenBSD 6.1-beta (GENERIC.MP) #213:
Mon Mar  6 12:31:59 MST 2017) and the error looks different now:

TLS error on connection from mx0.phx.paypal.com [66.211.168.230] \
   (SSL_accept): error:14039119:SSL routines:ACCEPT_SR_CERT_VRFY:decryption
\
   failed or bad record mac


--
   -- Kirill Miazine <k...@krot.org>






--
   -- Kirill Miazine <k...@krot.org>























					Reply via email to