[stunnel-users] SSL alert (write): fatal: bad record mac

Huy Vu huyvu_it at hotmail.com
Fri Oct 21 05:30:24 CEST 2005


Hi all,

I was tried stunnel 4.0.9 compiled with Openssl 0.9.7g on Redhat ES 3.0 and 
got the telnets sessions disconnected with error messages in stunnel.log as 
below:
SSL alert (write): fatal: bad record mac
SSL_read: 1408F455: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption 
failed or bad record mac

The same problem with stunnel 4.0.12 compiled with Openssl 0.9.8a
Tried to disable the option socket = a:SO_REUSEADDR=0 in stunne server 
configuration file but still not help.

Thanks in advance for any help:

Full stunnel.log:
--------------------
2005.10.21 04:07:33 LOG5[19485:1]: stunnel 4.12 on i686-pc-linux-gnu 
UCONTEXT+POLL+IPv4+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005
2005.10.21 04:07:33 LOG7[19485:1]: Snagged 64 random bytes from /dev/urandom
2005.10.21 04:07:33 LOG7[19485:1]: RAND_status claims sufficient entropy for 
the PRNG
2005.10.21 04:07:33 LOG6[19485:1]: PRNG seeded successfully
2005.10.21 04:07:33 LOG7[19485:1]: Certificate: 
/usr/local/stunnel/etc/stunnel/stunnel.pem
2005.10.21 04:07:33 LOG7[19485:1]: Key file: 
/usr/local/stunnel/etc/stunnel/stunnel.pem
2005.10.21 04:07:33 LOG6[19485:1]: file ulimit = 1024 (can be changed with 
'ulimit -n')
2005.10.21 04:07:33 LOG6[19485:1]: poll() used - no FD_SETSIZE limit for 
file descriptors
2005.10.21 04:07:33 LOG5[19485:1]: 500 clients allowed
2005.10.21 04:07:33 LOG7[19485:1]: FD 4 in non-blocking mode
2005.10.21 04:07:33 LOG7[19485:1]: FD 5 in non-blocking mode
2005.10.21 04:07:33 LOG7[19485:1]: FD 6 in non-blocking mode
2005.10.21 04:07:33 LOG7[19485:1]: SO_REUSEADDR option set on accept socket
2005.10.21 04:07:33 LOG7[19485:1]: telnets bound to 192.168.34.35:992
2005.10.21 04:07:33 LOG7[19486:1]: Created pid file /stunnel.pid
2005.10.21 04:07:33 LOG5[19487:1]: stunnel 4.12 on i686-pc-linux-gnu 
UCONTEXT+POLL+IPv4+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005
2005.10.21 04:07:33 LOG7[19487:1]: Snagged 64 random bytes from /dev/urandom
2005.10.21 04:07:33 LOG7[19487:1]: RAND_status claims sufficient entropy for 
the PRNG
2005.10.21 04:07:33 LOG6[19487:1]: PRNG seeded successfully
2005.10.21 04:07:33 LOG6[19487:1]: file ulimit = 1024 (can be changed with 
'ulimit -n')
2005.10.21 04:07:33 LOG6[19487:1]: poll() used - no FD_SETSIZE limit for 
file descriptors
2005.10.21 04:07:33 LOG5[19487:1]: 500 clients allowed
2005.10.21 04:07:33 LOG7[19487:1]: FD 4 in non-blocking mode
2005.10.21 04:07:33 LOG7[19487:1]: FD 5 in non-blocking mode
2005.10.21 04:07:33 LOG7[19487:1]: FD 6 in non-blocking mode
2005.10.21 04:07:33 LOG7[19487:1]: SO_REUSEADDR option set on accept socket
2005.10.21 04:07:33 LOG7[19487:1]: soap bound to 127.0.0.1:44300
2005.10.21 04:07:33 LOG7[19488:1]: Created pid file /stunnel.pid
2005.10.21 04:09:30 LOG7[19486:1]: telnets accepted FD=7 from 
65.94.188.47:60677
2005.10.21 04:09:30 LOG7[19486:1]: Creating a new context
2005.10.21 04:09:30 LOG7[19486:1]: Context 2 created
2005.10.21 04:09:30 LOG7[19486:2]: Context swap: 1 -> 2
2005.10.21 04:09:30 LOG7[19486:2]: telnets started
2005.10.21 04:09:30 LOG7[19486:2]: FD 7 in non-blocking mode
2005.10.21 04:09:30 LOG7[19486:2]: TCP_NODELAY option set on local socket
2005.10.21 04:09:30 LOG5[19486:2]: telnets connected from 65.94.188.47:60677
2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): before/accept 
initialization
2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 read client 
hello A
2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 write server 
hello A
2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 write 
certificate A
2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 write server 
done A
2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 flush data
2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 read client key 
exchange A
2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 read finished A
2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 write change 
cipher spec A
2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 write finished 
A
2005.10.21 04:09:30 LOG7[19486:2]: SSL state (accept): SSLv3 flush data
2005.10.21 04:09:30 LOG7[19486:2]:    1 items in the session cache
2005.10.21 04:09:30 LOG7[19486:2]:    0 client connects (SSL_connect())
2005.10.21 04:09:30 LOG7[19486:2]:    0 client connects that finished
2005.10.21 04:09:30 LOG7[19486:2]:    0 client renegotiatations requested
2005.10.21 04:09:30 LOG7[19486:2]:    1 server connects (SSL_accept())
2005.10.21 04:09:30 LOG7[19486:2]:    1 server connects that finished
2005.10.21 04:09:30 LOG7[19486:2]:    0 server renegotiatiations requested
2005.10.21 04:09:30 LOG7[19486:2]:    0 session cache hits
2005.10.21 04:09:30 LOG7[19486:2]:    0 session cache misses
2005.10.21 04:09:30 LOG7[19486:2]:    0 session cache timeouts
2005.10.21 04:09:30 LOG6[19486:2]: SSL accepted: new session negotiated
2005.10.21 04:09:30 LOG6[19486:2]: Negotiated ciphers: RC4-MD5               
   SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
2005.10.21 04:09:30 LOG7[19486:2]: FD 8 in non-blocking mode
2005.10.21 04:09:30 LOG7[19486:2]: telnets connecting 127.0.0.1:23
2005.10.21 04:09:30 LOG7[19486:2]: connect_wait: waiting 10 seconds
2005.10.21 04:09:30 LOG7[19486:2]: connect_wait: connected
2005.10.21 04:09:30 LOG7[19486:2]: Remote FD=8 initialized
2005.10.21 04:09:30 LOG7[19486:2]: TCP_NODELAY option set on remote socket
2005.10.21 04:09:31 LOG7[19488:1]: soap accepted FD=7 from 127.0.0.1:37120
2005.10.21 04:09:31 LOG7[19488:1]: Creating a new context
2005.10.21 04:09:31 LOG7[19488:1]: Context 2 created
2005.10.21 04:09:31 LOG7[19488:2]: Context swap: 1 -> 2
2005.10.21 04:09:31 LOG7[19488:2]: soap started
2005.10.21 04:09:31 LOG7[19488:2]: FD 7 in non-blocking mode
2005.10.21 04:09:31 LOG7[19488:2]: TCP_NODELAY option set on local socket
2005.10.21 04:09:31 LOG5[19488:2]: soap connected from 127.0.0.1:37120
2005.10.21 04:09:31 LOG7[19488:2]: FD 8 in non-blocking mode
2005.10.21 04:09:31 LOG7[19488:2]: soap connecting 199.84.230.35:443
2005.10.21 04:09:31 LOG7[19488:2]: connect_wait: waiting 10 seconds
2005.10.21 04:09:31 LOG7[19488:2]: connect_wait: connected
2005.10.21 04:09:31 LOG7[19488:2]: Remote FD=8 initialized
2005.10.21 04:09:31 LOG7[19488:2]: TCP_NODELAY option set on remote socket
2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): before/connect 
initialization
2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 write client 
hello A
2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 read server 
hello A
2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 read server 
certificate A
2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 read server 
key exchange A
2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 read server 
done A
2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 write client 
key exchange A
2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 write change 
cipher spec A
2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 write finished 
A
2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 flush data
2005.10.21 04:09:31 LOG7[19488:2]: SSL state (connect): SSLv3 read finished 
A
2005.10.21 04:09:31 LOG7[19488:2]:    1 items in the session cache
2005.10.21 04:09:31 LOG7[19488:2]:    1 client connects (SSL_connect())
2005.10.21 04:09:31 LOG7[19488:2]:    1 client connects that finished
2005.10.21 04:09:31 LOG7[19488:2]:    0 client renegotiatations requested
2005.10.21 04:09:31 LOG7[19488:2]:    0 server connects (SSL_accept())
2005.10.21 04:09:31 LOG7[19488:2]:    0 server connects that finished
2005.10.21 04:09:31 LOG7[19488:2]:    0 server renegotiatiations requested
2005.10.21 04:09:31 LOG7[19488:2]:    0 session cache hits
2005.10.21 04:09:31 LOG7[19488:2]:    0 session cache misses
2005.10.21 04:09:31 LOG7[19488:2]:    0 session cache timeouts
2005.10.21 04:09:31 LOG6[19488:2]: SSL connected: new session negotiated
2005.10.21 04:09:31 LOG6[19488:2]: Negotiated ciphers: DHE-RSA-AES256-SHA    
   SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
2005.10.21 04:09:31 LOG7[19488:2]: SSL_read returned WANT_READ: retrying
2005.10.21 04:09:31 LOG7[19488:2]: SSL_read returned WANT_READ: retrying
2005.10.21 04:09:31 LOG7[19488:2]: SSL alert (read): warning: close notify
2005.10.21 04:09:31 LOG7[19488:2]: SSL closed on SSL_read
2005.10.21 04:09:31 LOG7[19488:2]: Socket write shutdown
2005.10.21 04:09:31 LOG7[19488:2]: SSL write shutdown
2005.10.21 04:09:31 LOG7[19488:2]: SSL alert (write): warning: close notify
2005.10.21 04:09:31 LOG6[19488:2]: SSL_shutdown successfully sent 
close_notify
2005.10.21 04:09:31 LOG7[19488:2]: Socket closed on read
2005.10.21 04:09:31 LOG5[19488:2]: Connection closed: 818 bytes sent to SSL, 
4558 bytes sent to socket
2005.10.21 04:09:31 LOG7[19488:2]: soap finished (0 left)
2005.10.21 04:09:31 LOG5[19488:2]: stack_info: size=65536, current=9560 
(14%), maximum=9560 (14%)
2005.10.21 04:09:31 LOG7[19488:2]: Context 2 closed
2005.10.21 04:09:45 LOG7[19486:2]: SSL alert (write): fatal: bad record mac
2005.10.21 04:09:45 LOG3[19486:2]: SSL_read: 1408F455: error:1408F455:SSL 
routines:SSL3_GET_RECORD:decryption failed or bad record mac
2005.10.21 04:09:45 LOG5[19486:2]: Connection reset: 4313 bytes sent to SSL, 
232 bytes sent to socket
2005.10.21 04:09:45 LOG7[19486:2]: telnets finished (0 left)
2005.10.21 04:09:45 LOG5[19486:2]: stack_info: size=65536, current=9560 
(14%), maximum=9560 (14%)
2005.10.21 04:09:45 LOG7[19486:2]: Context 2 closed

_________________________________________________________________
Take advantage of powerful junk e-mail filters built on patented Microsoft® 
SmartScreen Technology. 
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 
  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.




More information about the stunnel-users mailing list