ERR_SSL_BAD_RECORD_MAC_ALERT when trying to reuse SSL session
Maxim Dounin
mdounin at mdounin.ru
Mon Mar 19 15:35:12 UTC 2018
Hello!
On Mon, Mar 19, 2018 at 03:04:14PM +0100, Abilio Marques wrote:
> After working a bit more on the issue, I also found that:
>
> - Using a new pair of key/certificate makes the problem not to show
> anymore. So, some files will make it fail, some files make it work. The
> files are of different length, so it seems to be correlated to that.
> - Using LD_PRELOAD with an "empty" (as in no C code) so file makes the
> problem disappear. I discover this while trying to hook the calls to
> OpenSSL, just to discover that even if I removed all my code, the problem
> will go away.
>
>
> As there are at least 3 different ways to make it disappear, looks to me
> that is not directly related to SSL session, but to something completely
> different. I cannot run valgrind on the MIPS hardware (no enough RAM), and
> I've been trying to reproduce it on QEMU, to no avail.
>
> Any ideas on how to proceed? Do you think Valgrind will help at all? Any
> other insights?
As previously suggested, first of all you may want to check your
build, see here:
http://mailman.nginx.org/pipermail/nginx/2018-March/055829.html
Check "nginx -V" output. If it contains something like
"crossbuild", then recompile nginx yourself, without any 3rd party
patches, ideally - on the host itself (a virtual machine with the
same OS will be ok too), and check if the problem persists.
Also, it might be a good idea to play with different OpenSSL
versions (including compiling them statically into nginx using the
"--with-openssl" configure option) and different compilers.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list