Issue from forum: SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

Lukas Tribus luky-37 at hotmail.com
Tue Apr 29 23:36:10 UTC 2014


Hi Mark,


> I'm running into a lot of the same error as was reported in the forum
> at: http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004385.html
>
>> SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or
> bad record mac
>
> I've got an nginx server doing front-end SSL, with the upstream also
> over SSL and also nginx (fronting Apache). They're all running 1.5.13
> (all Precise 64-bit), so I can goof with various options like
> ssl_buffer_size. These are running SSL-enabled web sites for my
> customers.
>
> I'm curious if there is any workaround for this besides patching
> openssl, as mentioned a couple of weeks ago
> in http://trac.nginx.org/nginx/ticket/215


A patch was committed to openssl [1] and backported to the openssl-1.0.1
stable branch [2], meaning that the next openssl release (1.0.1h) will
contain the fix.

You can:
- cherry-pick the fix and apply it on 1.0.1g
- use the 1.0.1 stable git branch
- asking your openssl package maintainer to backport the fix (its security
  relevant, see CVE-2010-5298 [3])

The fix is already in OpenBSD [4], Debian and Ubuntu will probably ship the
patch soon, also see [5] and [6].




Regards,

Lukas


[1] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d1f4b0f3d262edf1cf7023a01d5404945035d5
[2] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=725c5f1ad393a7bc344348d0ec7c268aaf2700a7
[3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
[4] http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/008_openssl.patch
[5] https://www.debian.org/security/2014/dsa-2908
[6] http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-5298.html

 		 	   		  


More information about the nginx mailing list