[OpenSIPS-Users] TLS 'Bad Record MAC' causing pain

Adrian Georgescu ag at ag-projects.com
Sat Aug 11 22:53:55 CEST 2012


I have noticed this behavior myself and I was not able to trace the cause for it yet. It happens regardless of the openssl version used.

Adrian

On Aug 11, 2012, at 12:35 AM, Jared Biel wrote:

> Hello,
> 
> We've been experiencing issues with one of our Opensips instances for
> a few months. Every now and then it appears that we get a bad packet
> that's part of TLS negotiation (Encrypted Handshake Message.) Opensips
> rejects this packet by replying with 'Bad Record MAC'. What's
> interesting is that sometimes this causes all subsequent TLS
> connections/negotiations to fail yet other times Opensips survives it.
> The only way that we've found to recover from this failure is to
> restart the daemon and we haven't found a way to reproduce it. We do
> have packet captures containing the "bad" packets.
> 
> Has anyone out there experienced this issue? We've seen it across
> different servers, operating systems and Opensips versions.
> 
> Log output:
> 
> [2012-08-10 18:38:01.08] [opensips] ERROR:core:tls_accept: New TLS
> connection from 1.2.3.4:1029 failed to accept: rejected by client
> [2012-08-10 18:38:01.08] [opensips] WARNING:core:fm_free: free(0) called
> [2012-08-10 18:38:01.08] [opensips] ERROR:core:tls_accept: New TLS
> connection from 1.2.3.4:1032 failed to accept: rejected by client
> [2012-08-10 18:38:01.08] [opensips] WARNING:core:fm_free: free(0) called
> ...
> [2012-08-10 18:38:13.72] [opensips] ERROR:core:_tls_read: TLS
> connection to 9.3.3.4:35951 read failed
> [2012-08-10 18:38:13.72] [opensips] ERROR:core:_tls_read: TLS read error: 1
> [2012-08-10 18:38:13.73] [opensips] ERROR:core:tls_print_errstack: TLS
> errstack: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac
> [2012-08-10 18:38:13.73] [opensips] ERROR:core:tcp_read_req: failed to read
> 
> Versions:
> 
>  Opensips: 1.8.0
>  Kernel: 3.2.0-26-virtual (Ubuntu 12.04)
>  Openssl: 1.0.1-4ubuntu5.3
> 
> Thanks,
> Jared Biel
> 
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> 




More information about the Users mailing list