[erlang-questions] SSL Server Bad record mac error

Andreas Schultz aschultz@REDACTED
Wed Jul 25 12:14:33 CEST 2012 

Hi Morgan,

The connection should be closing cleanly already. The alert
should be sent by the ssl state machine over the ssl connection
and both sides will close.

To diagnose this further, you could try to capture the broken
ssl session in a controlled setup. The selected crypto suite
is in the unecrypted part of the handshake.
If you disable all EDH ciphers, wireshark or ssldump can be
used to decipher the encrypted part of the exchange. That
should give you a hint what excatly is going on.

Andreas

----- Original Message -----
> 
> Hi everyone,
> 
> 
> I'm currently trying to find out, where could come from this error :
> 
> 
> 
> =ERROR REPORT==== 23-Jul-2012::11:03:56 ===
> SSL: certify: ssl_record.erl:654:Fatal error: bad record mac
> 
> 
> The SSL function where it is coming from is decipher:
> 
> 
> ---------------------------------- ssl_record.erl
> ---------------------------------------------
> 
> 
> 
> decipher(TLS=#ssl_tls{type=Type, version=Version, fragment=Fragment},
> CS0) ->
> SP = CS0#connection_state.security_parameters,
> BCA = SP#security_parameters.bulk_cipher_algorithm,
> HashSz = SP#security_parameters.hash_size,
> CipherS0 = CS0#connection_state.cipher_state,
> case ssl_cipher:decipher(BCA, HashSz, CipherS0, Fragment, Version) of
> {T, Mac, CipherS1} ->
> CS1 = CS0#connection_state{cipher_state = CipherS1},
> TLength = size(T),
> {MacHash, CS2} = hash_and_bump_seqno(CS1, Type, Version, TLength, T),
> case is_correct_mac(Mac, MacHash) of
> true ->
> {TLS#ssl_tls{fragment = T}, CS2};
> false ->
> ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC) %%<-------- HERE
> end;
> #alert{} = Alert ->
> Alert
> end.
> ----------------------------------------------------------------------------------------------------
> 
> 
> I'm not really sure if this error is happening at handshake, or read.
> The thing is, the error is only coming only from users connecting
> from a BlackBerry device (Can't know which OS version, I suppose it
> comes from rather old devices).
> 
> 
> If there is nothing I can't do server-side, does anyone could point
> out how to handle the error, in order to close cleanly the
> connection ?
> 
> 
> Regards,
> 
> 
> Morgan.
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
> 

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: as@REDACTED
phone: +49-391-819099-224
mobil: +49-170-2226073

------------------ managed broadband access ------------------

Travelping GmbH               phone:           +49-391-8190990
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       info@REDACTED
GERMANY                       web:   http://www.travelping.com

Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------

More information about the erlang-questions mailing list