[Pkg-openssl-devel] Bug#678353: Bug#678353: openssl: Similar error here; upstream report available

Benjamin Eikel benjamin at eikel.org
Wed Feb 27 08:34:33 UTC 2013 

Hello Kurt,

Am Dienstag, 26. Februar 2013, 18:17:16 schrieben Sie:
> On Tue, Feb 26, 2013 at 09:14:59AM +0100, Benjamin Eikel wrote:
> > Hello,
> > 
> > Am Montag, 25. Februar 2013, 18:35:18 schrieb Kurt Roeckx:
> > > On Mon, Feb 25, 2013 at 05:31:41PM +0100, Benjamin Eikel wrote:
> > > > Package: openssl
> > > > Version: 1.0.1e-1
> > > > Followup-For: Bug #678353
> > > > 
> > > > Hello,
> > > > 
> > > > I suffer from a similar problem. When I use openssl s_client (for
> > > > example to connect to a mail server), the connection dies with the
> > > > following error message after issuing the first command:
> > > > 140551174117032:error:1408F119:SSL
> > > > routines:SSL3_GET_RECORD:decryption failed or bad record
> > > > mac:s3_pkt.c:484:
> > > > 
> > > > I am quite sure that this is related to the upstream discussion at
> > > > http://www.mail-archive.com/openssl-dev@openssl.org/msg32009.html
> > > 
> > > That issue only affected 1.0.1d which was never uploaded to
> > > Debian.  I've waited for the 1.0.1e version because of that.
> > 
> > shall I open a new bug report?
> 
> Do you want to report it with upstream?  Just send a mail to
> rt at openssl.org
> 
> > > > It seem to occur only on machines with AES-NI support (which my
> > > > machine is).
> > > 
> > > I'm not seeing any issues, and I have aesni support myself.
> > > 
> > > Is this a public mail server we can connect to, to try and debug?
> > 
> > Yes, it is. I used the following command:
> > openssl s_client -connect mail.uni-paderborn.de:465
> 
> That works for me ...

the connection works for me, too. It dies when issuing the first command (e.g. 
EHLO test). Does the additional command work for you, too? Do you test on a 
machine with AES-NI support?
The output is attached to this mail. Can I somehow produce more debugging 
output? /usr/bin/openssl is built without debugging symbols as far as I can 
see, so gdb does not work out of the box (libssl1.0.0-dbg is installed).

Kind regards
Benjamin
-------------- next part --------------
openssl s_client -bugs -connect mail.uni-paderborn.de:465
CONNECTED(00000003)
depth=3 C = DE, O = Deutsche Telekom AG, OU = T-TeleSec Trust Center, CN = Deutsche Telekom Root CA 2
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=DE/O=Universitaet Paderborn/OU=Zentrum fuer Informations- und Medientechnologien (IMT)/CN=mail.uni-paderborn.de
   i:/C=DE/O=Universitaet Paderborn/OU=IMT (Zentrum fuer Informations- und Medientechnologien)/CN=Universitaet Paderborn CA - G01/emailAddress=ca at uni-paderborn.de
 1 s:/C=DE/O=Universitaet Paderborn/OU=IMT (Zentrum fuer Informations- und Medientechnologien)/CN=Universitaet Paderborn CA - G01/emailAddress=ca at uni-paderborn.de
   i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
 2 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
   i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
 3 s:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
   i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF0DCCBLigAwIBAgIEDEt/tzANBgkqhkiG9w0BAQUFADCBvjELMAkGA1UEBhMC
REUxHzAdBgNVBAoTFlVuaXZlcnNpdGFldCBQYWRlcmJvcm4xQDA+BgNVBAsTN0lN
VCAoWmVudHJ1bSBmdWVyIEluZm9ybWF0aW9ucy0gdW5kIE1lZGllbnRlY2hub2xv
Z2llbikxKDAmBgNVBAMTH1VuaXZlcnNpdGFldCBQYWRlcmJvcm4gQ0EgLSBHMDEx
IjAgBgkqhkiG9w0BCQEWE2NhQHVuaS1wYWRlcmJvcm4uZGUwHhcNMDgwNTE1MDky
ODA4WhcNMTMwNTE0MDkyODA4WjCBkDELMAkGA1UEBhMCREUxHzAdBgNVBAoTFlVu
aXZlcnNpdGFldCBQYWRlcmJvcm4xQDA+BgNVBAsTN1plbnRydW0gZnVlciBJbmZv
cm1hdGlvbnMtIHVuZCBNZWRpZW50ZWNobm9sb2dpZW4gKElNVCkxHjAcBgNVBAMT
FW1haWwudW5pLXBhZGVyYm9ybi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKIpOTyeFla6ggPr9NnzrosPAimdaLCDjgaE1jRInzAqi8NkOCQIZvk5
zEmNtgsPvqVANB6bG227uE7rLULow9l9ohV7tPB9PQRQPeRBZ72IATlD22qXJrl4
3xpBCzQriOnlurlYfNQKIt6JPV908Z1apoOlrEZdmS57t2b2DRGk2jrcwa4yUulW
OtASMqyeTG94gMr4kkkB5T8W+kwhwxQFq0JWf4oVdycw+71T54Hxt7j0p3/wexMf
QZBwfFxpD35yPSbh2PLhI7WEgwjkRlfc34HUQvADoJpr/QTYL07q3pxD/VZk5y5g
wFx/4ENCPL08UB4ThhGAR9ro4v92v68CAwEAAaOCAgAwggH8MAkGA1UdEwQCMAAw
CwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNV
HQ4EFgQUoFMAZCHy3K6Hk/eohNeZ+jTly7cwHwYDVR0jBBgwFoAUgc9MmryvD8u+
7OAiJ04p764wxR4wSgYDVR0RBEMwQYIVbWFpbC51bmktcGFkZXJib3JuLmRlggtt
YWlsLnVwYi5kZYEbcG9zdG1hc3RlckB1bmktcGFkZXJib3JuLmRlMIGNBgNVHR8E
gYUwgYIwP6A9oDuGOWh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvdW5pLXBhZGVyYm9y
bi1jYS9wdWIvY3JsL2NhY3JsLmNybDA/oD2gO4Y5aHR0cDovL2NkcDIucGNhLmRm
bi5kZS91bmktcGFkZXJib3JuLWNhL3B1Yi9jcmwvY2FjcmwuY3JsMIGmBggrBgEF
BQcBAQSBmTCBljBJBggrBgEFBQcwAoY9aHR0cDovL2NkcDEucGNhLmRmbi5kZS91
bmktcGFkZXJib3JuLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDBJBggrBgEFBQcw
AoY9aHR0cDovL2NkcDIucGNhLmRmbi5kZS91bmktcGFkZXJib3JuLWNhL3B1Yi9j
YWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQUFAAOCAQEAFfTbr1g0c0GD8Rtk
3+dem270Z/MAyHoDVTWfW9pqLvLrYRTuemH1pGRDj/0sPs3Ze3h3GOc7p8N4cbZS
Hlz+1f2ZF1r0sjGKKxIzENEy53C2i3vCXJx5JgcPN1Lv92fubVQpYExh0TftSdgh
9i7d6GWRlj4DDibyHtwUCYFKxmbH2hty52cb0orLjLSLvcCxD8KkfvpzDvh7XccL
A9VtCMxaL+gGE2MiBPuFcAmgEGsOoBfWYtPFoqUFrHwAVFLYHGFw4ye8VyFb5peW
69rFZJ4DbZXgZtnxDgGXZQhAafCGiezbD/5y4Ar6ibt45iPEiEx6cT4HP2BvT6V+
KipS6A==
-----END CERTIFICATE-----
subject=/C=DE/O=Universitaet Paderborn/OU=Zentrum fuer Informations- und Medientechnologien (IMT)/CN=mail.uni-paderborn.de
issuer=/C=DE/O=Universitaet Paderborn/OU=IMT (Zentrum fuer Informations- und Medientechnologien)/CN=Universitaet Paderborn CA - G01/emailAddress=ca at uni-paderborn.de
---
No client certificate CA names sent
---
SSL handshake has read 5803 bytes and written 646 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: FD782807B951F190803C867CF3AF1B882E79536F1FA4A7080CCB23C3E3BA2003
    Session-ID-ctx: 
    Master-Key: 4047342A05A19622D1B0E39653131DD84A7D322F7F33DE262B3BA783C6AAE509DA4CB1B895154883241501648DB2625E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1361953559
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
220 mail.uni-paderborn.de ESMTP Exim 4.72 (spheron) Wed, 27 Feb 2013 09:26:03 +0100
EHLO test
139646812346024:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:484:

More information about the Pkg-openssl-devel mailing list