[Pkg-openssl-devel] Bug#678353: openssl: SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:480

Thu Jun 21 02:49:06 UTC 2012

Package: openssl
Version: 1.0.1c-3
Severity: normal

Originally I was trying to do this:

  $ python
  >>> import urllib2
  >>> urllib2.urlopen("https://myrta.com/regcheck/pages/content/enterVehicleDetails.jsf")
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/lib/python2.7/urllib2.py", line 126, in urlopen
      return _opener.open(url, data, timeout)
    File "/usr/lib/python2.7/urllib2.py", line 400, in open
      response = self._open(req, data)
    File "/usr/lib/python2.7/urllib2.py", line 418, in _open
      '_open', req)
    File "/usr/lib/python2.7/urllib2.py", line 378, in _call_chain
      result = func(*args)
    File "/usr/lib/python2.7/urllib2.py", line 1215, in https_open
      return self.do_open(httplib.HTTPSConnection, req)
    File "/usr/lib/python2.7/urllib2.py", line 1177, in do_open
      raise URLError(err)
  urllib2.URLError: <urlopen error [Errno 1] _ssl.c:504: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac>

Tracing it back, I see python2.7 uses
/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0, so I tred this which
fails with the same error:

  $ openssl s_client -connect myrta.com:443
  CONNECTED(00000003)
  depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU = Certification Services Division, CN = Thawte Premium Server CA,
  emailAddress = premium-server at thawte.com
  verify error:num=19:self signed certificate in certificate chain
  verify return:0
  140092995372712:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:480:
  ---
  Certificate chain
  0 s:/C=AU/ST=New South Wales/L=Sydney/O=Roads & Traffic Authority of New South Wales/OU=RTA/CN=myrta.com
    i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
  1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
    i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
  2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
    i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com
  3 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com
    i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com
  ---
  Server certificate
  -----BEGIN CERTIFICATE-----
  MIIDdTCCAl2gAwIBAgIQLHaSJK5b0C6VDcLigNgAdTANBgkqhkiG9w0BAQUFADA8
  MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
  aGF3dGUgU1NMIENBMB4XDTEwMDcwNTAwMDAwMFoXDTEzMDcwNDIzNTk1OVowgZEx
  CzAJBgNVBAYTAkFVMRgwFgYDVQQIEw9OZXcgU291dGggV2FsZXMxDzANBgNVBAcU
  BlN5ZG5leTE1MDMGA1UEChQsUm9hZHMgJiBUcmFmZmljIEF1dGhvcml0eSBvZiBO
  ZXcgU291dGggV2FsZXMxDDAKBgNVBAsUA1JUQTESMBAGA1UEAxQJbXlydGEuY29t
  MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3n1XjueInNUMpCmkeFi3cJz0Q
  qown8uMZk1sH1ServbrmTXawz/lzSTJeeevG2UuhsNtZPRyEHXgCE5Nc1M+zIIZC
  XR2UhwpdTv7KCICM7oBZf5Vuvq9mcpr/2TeW1P2yQgJmWN5C313g355djW3Q2+f2
  25ez1/VoJR16un+hVwIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwOgYDVR0fBDMw
  MTAvoC2gK4YpaHR0cDovL3N2ci1vdi1jcmwudGhhd3RlLmNvbS9UaGF3dGVPVi5j
  cmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYw
  JDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTANBgkqhkiG9w0B
  AQUFAAOCAQEAOMW00EDDrP9gq1vDH1S9m0YgkVrorKCXd6/p7rE50L8MCrBC1vGc
  kh5AmymCeq6adjpM6LT4CRQvk8DagN+T0eRMH2IXaYmUjCX8DAedJ13cDd9Qrkvt
  KPTOyRMWHxjYdnQPNY0BmSCDgemO7BrBKzaHHEDE2AmBDli3/uk4ywFLBN/SNIEq
  WWvgjvfo5a4UWEi8iExFy4Crnli5Bz7IIWE+kK2VMjeFn1njfm9JSkKNr0Sz2l64
  N3W+D3s2Q8sKM1+GeCmzsB3O71Udp6iprQFYI9SrOVjljRniiWJKuQueuUevOtD4
  Ek7KUxBltihRh78oY72+06i6bpD01SrKQQ==
  -----END CERTIFICATE-----
  subject=/C=AU/ST=New South Wales/L=Sydney/O=Roads & Traffic Authority of New South Wales/OU=RTA/CN=myrta.com
  issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
  ---
  No client certificate CA names sent
  ---
  SSL handshake has read 4064 bytes and written 205 bytes
  ---
  New, TLSv1/SSLv3, Cipher is RC4-MD5
  Server public key is 1024 bit
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  SSL-Session:
      Protocol  : TLSv1
      Cipher    : RC4-MD5
      Session-ID: 000039B7D44355DBF50A59F8A4F5049402D0B048585858584FE2863E000009E7
      Session-ID-ctx: 
      Master-Key: 4C860E68617462AB0D15E06B1637A46640A2C3D61F802ECC714191A897DDCF46C6DB37F9089E623C9181FD246BE8455E
      Key-Arg   : None
      PSK identity: None
      PSK identity hint: None
      SRP username: None
      Start Time: 1340245567
      Timeout   : 300 (sec)
      Verify return code: 19 (self signed certificate in certificate chain)
  ---
  $ 

Iceweasel on the same box has no trouble with the URL given to
python.  On a squeeze amd64 box on the same LAN, executing the
above statements doesn't return any errors.

This has only happened with myrta.com.  https://www.google.com/ for
example works.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssl depends on:
ii  libc6        2.13-33
ii  libssl1.0.0  1.0.1c-3
ii  zlib1g       1:1.2.7.dfsg-11+b1

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20120212

-- no debconf information