[OpenSIPS-Users] TLS 'Bad Record MAC' causing pain

Jared Biel jared.biel at bolderthinking.com
Sat Aug 11 00:35:44 CEST 2012


Hello,

We've been experiencing issues with one of our Opensips instances for
a few months. Every now and then it appears that we get a bad packet
that's part of TLS negotiation (Encrypted Handshake Message.) Opensips
rejects this packet by replying with 'Bad Record MAC'. What's
interesting is that sometimes this causes all subsequent TLS
connections/negotiations to fail yet other times Opensips survives it.
The only way that we've found to recover from this failure is to
restart the daemon and we haven't found a way to reproduce it. We do
have packet captures containing the "bad" packets.

Has anyone out there experienced this issue? We've seen it across
different servers, operating systems and Opensips versions.

Log output:

[2012-08-10 18:38:01.08] [opensips] ERROR:core:tls_accept: New TLS
connection from 1.2.3.4:1029 failed to accept: rejected by client
[2012-08-10 18:38:01.08] [opensips] WARNING:core:fm_free: free(0) called
[2012-08-10 18:38:01.08] [opensips] ERROR:core:tls_accept: New TLS
connection from 1.2.3.4:1032 failed to accept: rejected by client
[2012-08-10 18:38:01.08] [opensips] WARNING:core:fm_free: free(0) called
...
[2012-08-10 18:38:13.72] [opensips] ERROR:core:_tls_read: TLS
connection to 9.3.3.4:35951 read failed
[2012-08-10 18:38:13.72] [opensips] ERROR:core:_tls_read: TLS read error: 1
[2012-08-10 18:38:13.73] [opensips] ERROR:core:tls_print_errstack: TLS
errstack: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
failed or bad record mac
[2012-08-10 18:38:13.73] [opensips] ERROR:core:tcp_read_req: failed to read

Versions:

  Opensips: 1.8.0
  Kernel: 3.2.0-26-virtual (Ubuntu 12.04)
  Openssl: 1.0.1-4ubuntu5.3

Thanks,
Jared Biel



More information about the Users mailing list