Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#678353: openssl: Similar error here; upstream report available

2 views
Skip to first unread message

Benjamin Eikel

unread,
Feb 25, 2013, 11:40:03 AM2/25/13
to
Package: openssl
Version: 1.0.1e-1
Followup-For: Bug #678353

Hello,

I suffer from a similar problem. When I use openssl s_client (for example to
connect to a mail server), the connection dies with the following error
message after issuing the first command:
140551174117032:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:484:

I am quite sure that this is related to the upstream discussion at
http://www.mail-archive.com/opens...@openssl.org/msg32009.html

It seem to occur only on machines with AES-NI support (which my machine is).

Kind regards
Benjamin

-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssl depends on:
ii libc6 2.17-0experimental2
ii libssl1.0.0 1.0.1e-1
ii zlib1g 1:1.2.7.dfsg-13

openssl recommends no packages.

Versions of packages openssl suggests:
ii ca-certificates 20130119

-- no debconf information


--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Kurt Roeckx

unread,
Feb 25, 2013, 12:40:01 PM2/25/13
to
On Mon, Feb 25, 2013 at 05:31:41PM +0100, Benjamin Eikel wrote:
> Package: openssl
> Version: 1.0.1e-1
> Followup-For: Bug #678353
>
> Hello,
>
> I suffer from a similar problem. When I use openssl s_client (for example to
> connect to a mail server), the connection dies with the following error
> message after issuing the first command:
> 140551174117032:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:484:
>
> I am quite sure that this is related to the upstream discussion at
> http://www.mail-archive.com/opens...@openssl.org/msg32009.html

That issue only affected 1.0.1d which was never uploaded to
Debian. I've waited for the 1.0.1e version because of that.

> It seem to occur only on machines with AES-NI support (which my machine is).

I'm not seeing any issues, and I have aesni support myself.

Is this a public mail server we can connect to, to try and debug?


Kurt

Benjamin Eikel

unread,
Feb 26, 2013, 3:30:02 AM2/26/13
to
Hello,

Am Montag, 25. Februar 2013, 18:35:18 schrieb Kurt Roeckx:
> On Mon, Feb 25, 2013 at 05:31:41PM +0100, Benjamin Eikel wrote:
> > Package: openssl
> > Version: 1.0.1e-1
> > Followup-For: Bug #678353
> >
> > Hello,
> >
> > I suffer from a similar problem. When I use openssl s_client (for example
> > to connect to a mail server), the connection dies with the following
> > error message after issuing the first command:
> > 140551174117032:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> > failed or bad record mac:s3_pkt.c:484:
> >
> > I am quite sure that this is related to the upstream discussion at
> > http://www.mail-archive.com/opens...@openssl.org/msg32009.html
>
> That issue only affected 1.0.1d which was never uploaded to
> Debian. I've waited for the 1.0.1e version because of that.

shall I open a new bug report?

>
> > It seem to occur only on machines with AES-NI support (which my machine
> > is).
>
> I'm not seeing any issues, and I have aesni support myself.
>
> Is this a public mail server we can connect to, to try and debug?

Yes, it is. I used the following command:
openssl s_client -connect mail.uni-paderborn.de:465

Kind regards
Benjamin

Kurt Roeckx

unread,
Feb 26, 2013, 12:30:01 PM2/26/13
to
On Tue, Feb 26, 2013 at 09:14:59AM +0100, Benjamin Eikel wrote:
> Hello,
>
> Am Montag, 25. Februar 2013, 18:35:18 schrieb Kurt Roeckx:
> > On Mon, Feb 25, 2013 at 05:31:41PM +0100, Benjamin Eikel wrote:
> > > Package: openssl
> > > Version: 1.0.1e-1
> > > Followup-For: Bug #678353
> > >
> > > Hello,
> > >
> > > I suffer from a similar problem. When I use openssl s_client (for example
> > > to connect to a mail server), the connection dies with the following
> > > error message after issuing the first command:
> > > 140551174117032:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> > > failed or bad record mac:s3_pkt.c:484:
> > >
> > > I am quite sure that this is related to the upstream discussion at
> > > http://www.mail-archive.com/opens...@openssl.org/msg32009.html
> >
> > That issue only affected 1.0.1d which was never uploaded to
> > Debian. I've waited for the 1.0.1e version because of that.
>
> shall I open a new bug report?

Do you want to report it with upstream? Just send a mail to
r...@openssl.org


> > > It seem to occur only on machines with AES-NI support (which my machine
> > > is).
> >
> > I'm not seeing any issues, and I have aesni support myself.
> >
> > Is this a public mail server we can connect to, to try and debug?
>
> Yes, it is. I used the following command:
> openssl s_client -connect mail.uni-paderborn.de:465

That works for me ...


Kurt

Benjamin Eikel

unread,
Feb 27, 2013, 1:20:02 PM2/27/13
to
Hello Kurt,

Am Dienstag, 26. Februar 2013, 18:17:16 schrieben Sie:
the connection works for me, too. It dies when issuing the first command (e.g.
EHLO test). Does the additional command work for you, too? Do you test on a
machine with AES-NI support?
The output is attached to this mail. Can I somehow produce more debugging
output? /usr/bin/openssl is built without debugging symbols as far as I can
see, so gdb does not work out of the box (libssl1.0.0-dbg is installed).

Kind regards
Benjamin
openssl-output.txt

Kurt Roeckx

unread,
Feb 27, 2013, 1:20:04 PM2/27/13
to
On Wed, Feb 27, 2013 at 09:34:33AM +0100, Benjamin Eikel wrote:
> > > Yes, it is. I used the following command:
> > > openssl s_client -connect mail.uni-paderborn.de:465
> >
> > That works for me ...
>
> the connection works for me, too. It dies when issuing the first command (e.g.
> EHLO test). Does the additional command work for you, too?

Yes, I get a reply back:
250-mail.uni-paderborn.de Hello d51a5255d.access.telenet.be [81.165.37.93]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN GSSAPI
250 HELP

That is with libssl1.0.0:amd64 1.0.1e-1

> Do you test on a machine with AES-NI support?

Yes. cpuinfo says:
model name : Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm ida arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid

cpuid in openssl should automaticly pick up the "aes" part and use
aes-ni.

> The output is attached to this mail. Can I somehow produce more debugging
> output? /usr/bin/openssl is built without debugging symbols as far as I can
> see, so gdb does not work out of the box (libssl1.0.0-dbg is installed).

If you install libssl1.0.0-dbg you should get debug info for the
libraries, where the error happens.

Benjamin Eikel

unread,
Feb 28, 2013, 3:30:02 AM2/28/13
to
Hello Kurt,

Am Mittwoch, 27. Februar 2013, 18:27:17 schrieb Kurt Roeckx:
> If you install libssl1.0.0-dbg you should get debug info for the
> libraries, where the error happens.

debugging does not work for me with packages libssl1.0.0:amd64 1.0.1e-1 and
libssl1.0.0-dbg:amd64 1.0.1e-1 installed. gdb outputs "Reading symbols from
/usr/bin/openssl...(no debugging symbols found)...done." When running the
program and sending the command after the connection has been established, it
says:

140737353983656:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed
or bad record mac:s3_pkt.c:484:
[Inferior 1 (process 8191) exited with code 01].

Therefore, I am not able to produce a backtrace at the moment. I will try
later to compile the package from source and see if I can enable debugging
symbols there.

Excerpt from my /proc/cpuinfo:
model name : Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov
pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm
constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc
aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr
pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c
rdrand lahf_lm ida arat epb xsaveopt pln pts dtherm tpr_shadow vnmi
flexpriority ept vpid fsgsbase smep erms

Kind regards
Benjamin

Kurt Roeckx

unread,
Feb 28, 2013, 12:40:02 PM2/28/13
to
On Wed, Feb 27, 2013 at 06:27:17PM +0100, Kurt Roeckx wrote:
> On Wed, Feb 27, 2013 at 09:34:33AM +0100, Benjamin Eikel wrote:
> > > > Yes, it is. I used the following command:
> > > > openssl s_client -connect mail.uni-paderborn.de:465
> > >
> > > That works for me ...
> >
> > the connection works for me, too. It dies when issuing the first command (e.g.
> > EHLO test). Does the additional command work for you, too?

Can you try with:
export OPENSSL_ia32cap=~0x200000200000000

And then use s_client?

Benjamin Eikel

unread,
Mar 1, 2013, 3:40:01 AM3/1/13
to
Am Donnerstag, 28. Februar 2013, 18:30:32 schrieb Kurt Roeckx:
> On Wed, Feb 27, 2013 at 06:27:17PM +0100, Kurt Roeckx wrote:
> > On Wed, Feb 27, 2013 at 09:34:33AM +0100, Benjamin Eikel wrote:
> > > > > Yes, it is. I used the following command:
> > > > > openssl s_client -connect mail.uni-paderborn.de:465
> > > >
> > > > That works for me ...
> > >
> > > the connection works for me, too. It dies when issuing the first
> > > command (e.g. EHLO test). Does the additional command work for you,
> > > too?
>
> Can you try with:
> export OPENSSL_ia32cap=~0x200000200000000
>
> And then use s_client?

This works and does not crash.
0 new messages