<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Apr 29, 2014 at 4:36 PM, Lukas Tribus <span dir="ltr"><<a href="mailto:luky-37@hotmail.com" target="_blank">luky-37@hotmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Mark,<br>
<div class=""><br>
<br>
> I'm running into a lot of the same error as was reported in the forum<br>
> at: <a href="http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004385.html" target="_blank">http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004385.html</a><br>
><br>
>> SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or<br>
> bad record mac<br>
><br>
> I've got an nginx server doing front-end SSL, with the upstream also<br>
> over SSL and also nginx (fronting Apache). They're all running 1.5.13<br>
> (all Precise 64-bit), so I can goof with various options like<br>
> ssl_buffer_size. These are running SSL-enabled web sites for my<br>
> customers.<br>
><br>
> I'm curious if there is any workaround for this besides patching<br>
> openssl, as mentioned a couple of weeks ago<br>
> in <a href="http://trac.nginx.org/nginx/ticket/215" target="_blank">http://trac.nginx.org/nginx/ticket/215</a><br>
<br>
<br>
</div>A patch was committed to openssl [1] and backported to the openssl-1.0.1<br>
stable branch [2], meaning that the next openssl release (1.0.1h) will<br>
contain the fix.<br>
<br>
You can:<br>
- cherry-pick the fix and apply it on 1.0.1g<br>
- use the 1.0.1 stable git branch<br>
- asking your openssl package maintainer to backport the fix (its security<br>
relevant, see CVE-2010-5298 [3])<br>
<br>
The fix is already in OpenBSD [4], Debian and Ubuntu will probably ship the<br>
patch soon, also see [5] and [6].<br>
<br><br></blockquote><div>Oh, cool, that's good news that it's upstream then. Getting the patch to apply is a piece of cake. I was more worried about what would happen for the next libssl update. Hopefully Ubuntu will pick that update up. Thanks!</div>
</div></div></div>