[Pkg-openssl-devel] Bug#1131904: libssl3t64: "LS alert, bad record mac (532)" / "decryption failed or bad record mac" since 3.6.1 on ppc64

Jeffrey Walton noloader at gmail.com
Thu Mar 26 18:07:21 GMT 2026 

On Thu, Mar 26, 2026 at 3:35 AM Philipp Klaus Krause <pkk at spth.de> wrote:
>
> Package: libssl3t64
> Version: 3.6.0-2
> Severity: normal
> X-Debbugs-Cc: debian-powerpc at lists.debian.org, pkk at spth.de
> User: debian-powerpc at lists.debian.org
> Usertags: ppc64
>
> Dear Maintainer,
>
> about a week ago, I upgraded libssl3t64 on my ppc64 system to 3.6.1-3. This resulted in failures (see below). After downgrading to 3.6.0-2, the failures disappeared. An amd64 system on the same network was not affected (there 3.6.1 works).
>
> Failure example:
>
> philipp at nemesis:/tmp$ curl --verbose https://www.google.com
> * Host www.google.com:443 was resolved.
> * IPv6: 2001:4860:482d:7700::, 2001:4860:4829:7700::, 2001:4860:4827:7700::, 2001:4860:482c:7700::, 2001:4860:4828:7700::, 2001:4860:482a:7700::, 2001:4860:482b:7700::, 2001:4860:4826:7700::
> * IPv4: 142.251.156.119, 142.251.154.119, 142.251.152.119, 142.251.150.119, 142.251.155.119, 142.251.153.119, 142.251.157.119, 142.251.151.119
> *   Trying [2001:4860:482d:7700::]:443...
> * ALPN: curl offers h2,http/1.1
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * SSL Trust Anchors:
> *   CAfile: /etc/ssl/certs/ca-certificates.crt
> *   CApath: /etc/ssl/certs
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
> * TLSv1.3 (OUT), TLS alert, bad record mac (532):
> * TLS connect error: error:0A000119:SSL routines::decryption failed or bad record mac
> * closing connection #0
> curl: (35) TLS connect error: error:0A000119:SSL routines::decryption failed or bad record mac
>
> -- System Information:
> Debian Release: forky/sid
>   APT prefers unreleased
>   APT policy: (500, 'unreleased'), (500, 'unstable')
> Architecture: ppc64
>
> Kernel: Linux 6.19.8+deb14-powerpc64-64k (SMP w/176 CPU threads; PREEMPT)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages libssl3t64 depends on:
> ii  libc6                    2.42-13
> ii  libzstd1                 1.5.7+dfsg-3+b1
> ii  openssl-provider-legacy  3.6.1-3
> ii  zlib1g                   1:1.3.dfsg+really1.3.1-3
>
> libssl3t64 recommends no packages.
>
> libssl3t64 suggests no packages.
>
> -- no debconf information

Interesting... 3.6.1-3 looks Ok on ppc64 and ppc64el according to
<https://packages.debian.org/sid/libssl3t64>.

Out of morbid curiosity... Is there any particular reason you need
openssl-provider-legacy?  Is something holding you back from using the
modern version of OpenSSL?  Also see the OSSL_PROVIDER-LEGACY(7SSL)
man page, <https://manpages.debian.org/testing/openssl/OSSL_PROVIDER-legacy.7ssl.en.html>.

Jeff

More information about the Pkg-openssl-devel mailing list