[erlang-questions] SSL Server Bad record mac error

Morgan Segalis msegalis@REDACTED
Thu Jul 26 11:51:48 CEST 2012 

Hi Andreas, thanks for the answer,

I have cooked up a little info function, that gives me some info about processes in my Erlang server : 

Here's what it gives me on the server dedicated to blackberries (The one that gives mac errors)

{{[[{{gen_server_pool_proxy,init,1},
                 [<0.74.0>,<0.73.0>,<0.41.0>]}|
                1]],
              [],[],[],
              [[undefined|6]],
              [],
              [[{{ssl_connection,init,1},
                 [ssl_connection_sup,ssl_sup,<0.55.0>]}|
                38770]],
              [],[],[],
              [[{unknown,unknown}|2]],
              [[{{supervisor,muserver_sup,1},[muserver,<0.41.0>]}|1]],
              [],[],[],
              [[{{supervisor,muserver,1},[<0.41.0>]}|1],
               [{{muserver_serv,init,1},[muserver_sup,muserver,<0.41.0>]}|26556]]}}}

The muserver_serv gives me the exact number of connected clients 26556 (cross-checked with a netstat)

However I do get way more ssl_connection_sup than I should 38770.
That gives me 12214 ssl processes that should not exist, if as you said, the connection should be closing cleanly.

On servers that do not get mac errors, the SSL and TCP number of processes are roughly the same with more or less 10 processes.

Best regards,

Morgan.

Le 25 juil. 2012 à 12:14, Andreas Schultz a écrit :

> Hi Morgan,
> 
> The connection should be closing cleanly already. The alert
> should be sent by the ssl state machine over the ssl connection
> and both sides will close.
> 
> To diagnose this further, you could try to capture the broken
> ssl session in a controlled setup. The selected crypto suite
> is in the unecrypted part of the handshake.
> If you disable all EDH ciphers, wireshark or ssldump can be
> used to decipher the encrypted part of the exchange. That
> should give you a hint what excatly is going on.
> 
> Andreas
> 
> ----- Original Message -----
>> 
>> Hi everyone,
>> 
>> 
>> I'm currently trying to find out, where could come from this error :
>> 
>> 
>> 
>> =ERROR REPORT==== 23-Jul-2012::11:03:56 ===
>> SSL: certify: ssl_record.erl:654:Fatal error: bad record mac
>> 
>> 
>> The SSL function where it is coming from is decipher:
>> 
>> 
>> ---------------------------------- ssl_record.erl
>> ---------------------------------------------
>> 
>> 
>> 
>> decipher(TLS=#ssl_tls{type=Type, version=Version, fragment=Fragment},
>> CS0) ->
>> SP = CS0#connection_state.security_parameters,
>> BCA = SP#security_parameters.bulk_cipher_algorithm,
>> HashSz = SP#security_parameters.hash_size,
>> CipherS0 = CS0#connection_state.cipher_state,
>> case ssl_cipher:decipher(BCA, HashSz, CipherS0, Fragment, Version) of
>> {T, Mac, CipherS1} ->
>> CS1 = CS0#connection_state{cipher_state = CipherS1},
>> TLength = size(T),
>> {MacHash, CS2} = hash_and_bump_seqno(CS1, Type, Version, TLength, T),
>> case is_correct_mac(Mac, MacHash) of
>> true ->
>> {TLS#ssl_tls{fragment = T}, CS2};
>> false ->
>> ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC) %%<-------- HERE
>> end;
>> #alert{} = Alert ->
>> Alert
>> end.
>> ----------------------------------------------------------------------------------------------------
>> 
>> 
>> I'm not really sure if this error is happening at handshake, or read.
>> The thing is, the error is only coming only from users connecting
>> from a BlackBerry device (Can't know which OS version, I suppose it
>> comes from rather old devices).
>> 
>> 
>> If there is nothing I can't do server-side, does anyone could point
>> out how to handle the error, in order to close cleanly the
>> connection ?
>> 
>> 
>> Regards,
>> 
>> 
>> Morgan.
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>> 
> 
> -- 
> -- 
> Dipl. Inform.
> Andreas Schultz
> 
> email: as@REDACTED
> phone: +49-391-819099-224
> mobil: +49-170-2226073
> 
> ------------------ managed broadband access ------------------
> 
> Travelping GmbH               phone:           +49-391-8190990
> Roentgenstr. 13               fax:           +49-391-819099299
> D-39108 Magdeburg             email:       info@REDACTED
> GERMANY                       web:   http://www.travelping.com
> 
> Company Registration: HRB21276 Handelsregistergericht Chemnitz
> Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
> --------------------------------------------------------------

More information about the erlang-questions mailing list