Bad Record MAC ???
Teo C G
My web application is deployed in Weblogic 7, when my application try to establish
HTTPS call to another server (IBM HTTP Server/Websphere 3.5.3), the application
log shows 'BAD_RECORD_MAC'.
Logs from the IBM HTTP Server shows 'mod_ibm_ssl: SSL Handshake Failed, I/O error
during handshake.'
What could be the problem ???
Below are the details obtained from -Dssl.debug :
Dec 22, 2003 4:17:53 PM SGT Debug TLS Weblogic license
allows domestic
Dec 22, 2003 4:17:54 PM SGT Debug TLS clientInfo settings
applied
Dec 22, 2003 4:17:54 PM SGT Debug TLS Filtering JSSE
SSLSocket
Dec 22, 2003 4:17:54 PM SGT Debug TLS SSLIOContextTable.addContext(ctx):
3331057
Dec 22, 2003 4:17:54 PM SGT Debug TLS SSLSocket will
be Muxing
Dec 22, 2003 4:17:54 PM SGT Debug TLS SSLIOContextTable.findContext(is):
7905855
Dec 22, 2003 4:17:54 PM SGT Debug TLS write SSL_20_RECORD
Dec 22, 2003 4:17:54 PM SGT Debug TLS SSLFilter.isActivated:
false
Dec 22, 2003 4:17:54 PM SGT Debug TLS isMuxerActivated:
false
Dec 22, 2003 4:17:54 PM SGT Debug TLS SSLFilter.isActivated:
false
Dec 22, 2003 4:17:54 PM SGT Debug TLS 804797 readRecord()
Dec 22, 2003 4:17:54 PM SGT Debug TLS 804797 received
HANDSHAKE
Dec 22, 2003 4:17:54 PM SGT Debug TLS HANDSHAKEMESSAGE:
ServerHello
Dec 22, 2003 4:17:54 PM SGT Debug TLS HANDSHAKEMESSAGE:
Certificate
Dec 22, 2003 4:17:54 PM SGT Debug TLS performing hostname
validation checks: s01secsvr
Dec 22, 2003 4:17:54 PM SGT Debug TLS validationCallback:
validateErr = 0
Dec 22, 2003 4:17:54 PM SGT Debug TLS cert[0] = [
[
Version: V3
Subject: CN=s01secsvr,
O=DBS, C=SG
Signature Algorithm:
MD5withRSA, OID = 1.2.840.113549.1.1.
4
Key: com.sun.rsajca.JSA_RSAPublicKey@39cd2a
Validity: [From:
Wed Dec 10 11:31:32 SGT 2003,
To: Fri Dec 10 11:31:32 SGT 2004]
Issuer: CN=s01secsvr,
O=DBS, C=SG
SerialNumber:
[ 3fd7e514 ]
]
Algorithm: [MD5withRSA]
Signature:
0000: 7A DC CC
9F 16 CA A1 1C B6 3F EE 0B A6 DA 9E 70 z..
......?.....p
0010: FA 52 F8
69 EA 4C E1 D5 2D 1B 6A A0 08 3D F5 C3 .R.
i.L..-.j..=..
0020: 0D 17 64
13 32 6E 2B FF 41 B5 27 27 88 D0 92 9B ..d
.2n+.A.''....
0030: 04 81 89
C1 10 E6 F0 3D BF F3 0C FA CE FC 3B FC ...
....=......;.
0040: 7D 8A 1D
61 D9 EF 9A 4C 49 F5 4E 85 3D C0 17 F3 ...
a...LI.N.=...
0050: 86 D8 F6
B9 4B DE 1A 4D 18 FE 98 AC 83 CD 14 4A ...
.K..M.......J
0060: 65 ED 1A
33 8B 32 20 3A F3 1D 33 7D 6F A6 29 B6 e..
3.2 :..3.o.).
0070: E9 B0 4B
AB 57 AB 39 5B 5F A7 90 A0 CB BC 2B 49 ..K
.W.9[_.....+I
]
Dec 22, 2003 4:17:54 PM SGT Debug TLS SSLTrustValidator
returns: 0
Dec 22, 2003 4:17:54 PM SGT Debug TLS Trust status (0):
NONE
Dec 22, 2003 4:17:54 PM SGT Debug TLS HANDSHAKEMESSAGE:
ServerHelloDone
Dec 22, 2003 4:17:54 PM SGT Debug TLS write HANDSHAKE
offset = 0 length = 132
Dec 22, 2003 4:17:54 PM SGT Debug TLS write CHANGE_CIPHER_SPEC
offset = 0 length = 1
Dec 22, 2003 4:17:54 PM SGT Debug TLS write HANDSHAKE
offset = 0 length = 40
Dec 22, 2003 4:17:54 PM SGT Debug TLS SSLFilter.isActivated:
false
Dec 22, 2003 4:17:54 PM SGT Debug TLS isMuxerActivated:
false
Dec 22, 2003 4:17:54 PM SGT Debug TLS SSLFilter.isActivated:
false
Dec 22, 2003 4:17:54 PM SGT Debug TLS 804797 readRecord()
Dec 22, 2003 4:17:54 PM SGT Debug TLS 804797 received
CHANGE_CIPHER_SPEC
Dec 22, 2003 4:17:54 PM SGT Debug TLS SSLFilter.isActivated:
false
Dec 22, 2003 4:17:54 PM SGT Debug TLS isMuxerActivated:
false
Dec 22, 2003 4:17:54 PM SGT Debug TLS SSLFilter.isActivated:
false
Dec 22, 2003 4:17:54 PM SGT Debug TLS 804797 readRecord()
Dec 22, 2003 4:17:54 PM SGT Debug TLS NEW ALERT: com.certicom.tls.record.alert.Alert@4c85e6
Severi
ty: 2 Type: 20
java.lang.Exception: Stack trace
at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:237)
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:67)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:125)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:121)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:97)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:284)
at com.dbs.security.client.PluggableClientWLS.getToken(PluggableClientWLS.java)
at com.dbs.applications.air.generic.AIRSecurityManager.getAccessToken(AIRSecurityManager.java:79)
at com.dbs.applications.air.bam.UIController.processRequest(UIController.java:114)
at com.dbs.applications.air.bam.UIController.doGet(UIController.java:58)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1058)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:401)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:306)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:5412)
at weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManager.java:744)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3086)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2544)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
Dec 22, 2003 4:17:54 PM SGT Debug TLS write ALERT offset
= 0 length = 2
Dec 22, 2003 4:17:54 PM SGT Debug TLS close(): 804797
Dec 22, 2003 4:17:54 PM SGT Debug TLS SSLIOContextTable.removeContext(ctx):
3331057
Pavel
Either the cipher text got corrupted during the transfer (unlikely), or more likely
the MAC was computed differently by the different SSL implementations on the SSL
client and server sides. The last case must be caused by a bug in either of the
SSL implementations. Also, a bug in the JCE provider could be responsible if you
were using a not supported one on the WL server.
Pavel.