Issue from forum: SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

Mark Moseley moseleymark at gmail.com
Wed Apr 30 00:20:43 UTC 2014


On Tue, Apr 29, 2014 at 4:36 PM, Lukas Tribus <luky-37 at hotmail.com> wrote:

> Hi Mark,
>
>
> > I'm running into a lot of the same error as was reported in the forum
> > at:
> http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004385.html
> >
> >> SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or
> > bad record mac
> >
> > I've got an nginx server doing front-end SSL, with the upstream also
> > over SSL and also nginx (fronting Apache). They're all running 1.5.13
> > (all Precise 64-bit), so I can goof with various options like
> > ssl_buffer_size. These are running SSL-enabled web sites for my
> > customers.
> >
> > I'm curious if there is any workaround for this besides patching
> > openssl, as mentioned a couple of weeks ago
> > in http://trac.nginx.org/nginx/ticket/215
>
>
> A patch was committed to openssl [1] and backported to the openssl-1.0.1
> stable branch [2], meaning that the next openssl release (1.0.1h) will
> contain the fix.
>
> You can:
> - cherry-pick the fix and apply it on 1.0.1g
> - use the 1.0.1 stable git branch
> - asking your openssl package maintainer to backport the fix (its security
>   relevant, see CVE-2010-5298 [3])
>
> The fix is already in OpenBSD [4], Debian and Ubuntu will probably ship the
> patch soon, also see [5] and [6].
>
>
> Oh, cool, that's good news that it's upstream then. Getting the patch to
apply is a piece of cake. I was more worried about what would happen for
the next libssl update. Hopefully Ubuntu will pick that update up. Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140429/fd12bfbf/attachment.html>


More information about the nginx mailing list