You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Abfalterer, Armin" <Ar...@united-security-providers.ch> on 2013/05/13 09:58:45 UTC

[users@httpd] bad record mac error with nCipher nFast

Hi all,

we run a nCipher nFast card under Solaris and we've embedded the private key of our Apache server on this card. Apache is configured to use the Open SSL "chil" engine and the embedded key.

When we want to connect to the Apache server we run into a "bad record mac" error.

[Wed May 08 13:59:16 2013] [debug] ssl_engine_kernel.c(1958): OpenSSL: Write: SSLv3 read certificate verify A #9121(65)
[Wed May 08 13:59:16 2013] [debug] ssl_engine_kernel.c(1977): OpenSSL: Exit: error in SSLv3 read certificate verify A #9121(65)
[Wed May 08 13:59:16 2013] [debug] ssl_engine_kernel.c(1977): OpenSSL: Exit: error in SSLv3 read certificate verify A #9121(65)
[Wed May 08 13:59:16 2013] [info] SSL library error 1 in handshake (server atlas:443) #9121(65)
[Wed May 08 13:59:16 2013] [info] SSL Library Error: 336130329 error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
mac #9121(65)
[Wed May 08 13:59:16 2013] [debug] ssl_engine_io.c(1007): Connection closed to child 62 with abortive shutdown (server atlas:443
) #9121(65)

Tests without the card and the original private key do not fail so we can exclude a SSL configuration problem.

Anyone who can give a hint how to track down the problem on the nCipher card?

Thanks!

Regards, Armin

AW: [users@httpd] bad record mac error with nCipher nFast

Posted by "Abfalterer, Armin" <Ar...@united-security-providers.ch>.

Hi,

changing the UID of the running Apache processes to 0 (root) showed that it is a matter of privileges.

# /usr/bin/pcred -u 0 <pid>

Regards, Armin

> -----Ursprüngliche Nachricht-----
> Von: Abfalterer, Armin
> Gesendet: Montag, 13. Mai 2013 09:59
> An: users@httpd.apache.org
> Betreff: [users@httpd] bad record mac error with nCipher nFast [signed OK]
> 
> Hi all,
> 
> we run a nCipher nFast card under Solaris and we've embedded the private key
> of our Apache server on this card. Apache is configured to use the Open SSL
> "chil" engine and the embedded key.
> 
> When we want to connect to the Apache server we run into a "bad record mac"
> error.
> 
> [Wed May 08 13:59:16 2013] [debug] ssl_engine_kernel.c(1958): OpenSSL:
> Write: SSLv3 read certificate verify A #9121(65)
> [Wed May 08 13:59:16 2013] [debug] ssl_engine_kernel.c(1977): OpenSSL: Exit:
> error in SSLv3 read certificate verify A #9121(65)
> [Wed May 08 13:59:16 2013] [debug] ssl_engine_kernel.c(1977): OpenSSL: Exit:
> error in SSLv3 read certificate verify A #9121(65)
> [Wed May 08 13:59:16 2013] [info] SSL library error 1 in handshake (server
> atlas:443) #9121(65)
> [Wed May 08 13:59:16 2013] [info] SSL Library Error: 336130329
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record
> mac #9121(65)
> [Wed May 08 13:59:16 2013] [debug] ssl_engine_io.c(1007): Connection closed
> to child 62 with abortive shutdown (server atlas:443
> ) #9121(65)
> 
> Tests without the card and the original private key do not fail so we can exclude
> a SSL configuration problem.
> 
> Anyone who can give a hint how to track down the problem on the nCipher
> card?
> 
> Thanks!
> 
> Regards, Armin