ERR_SSL_BAD_RECORD_MAC_ALERT when trying to reuse SSL session

Maxim Dounin mdounin at mdounin.ru
Mon Mar 19 15:35:12 UTC 2018


Hello!

On Mon, Mar 19, 2018 at 03:04:14PM +0100, Abilio Marques wrote:

> After working a bit more on the issue, I also found that:
> 
>    - Using a new pair of key/certificate makes the problem not to show
>    anymore. So, some files will make it fail, some files make it work. The
>    files are of different length, so it seems to be correlated to that.
>    - Using LD_PRELOAD with an "empty" (as in no C code) so file makes the
>    problem disappear. I discover this while trying to hook the calls to
>    OpenSSL, just to discover that even if I removed all my code, the problem
>    will go away.
> 
> 
> As there are at least 3 different ways to make it disappear, looks to me
> that is not directly related to SSL session, but to something completely
> different. I cannot run valgrind on the MIPS hardware (no enough RAM), and
> I've been trying to reproduce it on QEMU, to no avail.
> 
> Any ideas on how to proceed? Do you think Valgrind will help at all? Any
> other insights?

As previously suggested, first of all you may want to check your 
build, see here:

http://mailman.nginx.org/pipermail/nginx/2018-March/055829.html

Check "nginx -V" output.  If it contains something like 
"crossbuild", then recompile nginx yourself, without any 3rd party 
patches, ideally - on the host itself (a virtual machine with the 
same OS will be ok too), and check if the problem persists.

Also, it might be a good idea to play with different OpenSSL 
versions (including compiling them statically into nginx using the 
"--with-openssl" configure option) and different compilers.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list