Error code: ssl_error_bad_mac_read

mahao · 06-28-2011, 07:46 AM

Hi all,

we met an emergency problem.

We could not access our web site page on firefox or chrome or ie:

Firefox give us these error:

Secure Connection Failed

An error occurred during a connection to jira.inside.nokiasiemensnetworks.com.

SSL received a record with an incorrect Message Authentication Code.

(Error code: ssl_error_bad_mac_read)

The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

We also try on linux with wget to access it:

here is the result:

[root@esjirp63 eedbuser]# wget -v https://jira.inside.nokiasiemensnetw...Dashboard.jspa -O /dev/null
--2011-06-28 14:21:33-- https://jira.inside.nokiasiemensnetw...Dashboard.jspa
Resolving jira.inside.nokiasiemensnetworks.com... 87.254.222.230 Connecting to jira.inside.nokiasiemensnetworks.com|87.254.222.230|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `/dev/null'

[ <=> ] 25,247 --.-K/s in 0.001s

2011-06-28 14:21:33 (29.5 MB/s) - Read error at byte 25247 (error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac).Retrying.

--2011-06-28 14:21:34-- (try: 2) https://jira.inside.nokiasiemensnetw...Dashboard.jspa
Connecting to jira.inside.nokiasiemensnetworks.com|87.254.222.230|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `/dev/null'

100%[==================================================================================================== =====================================>] 40,031 --.-K/s in 0.001s

2011-06-28 14:21:34 (47.7 MB/s) - `/dev/null' saved [40031]

[root@esjirp63 eedbuser]#

Do you have any advice for how to solve this?

This is emergency, please give us feedback ASAP.

Best Regards

unSpawn · 06-28-2011, 06:01 PM

You could try using Firefox with a clean profile without any plugins. Else try running in safe mode. Else try another browser. Else this might be a server side error, and since this is restricted access anyway, I think you best contact Nokia Siemens Networks (NSN) Internet Support in which case you should review connection instructions you've gotten and maybe add 'openssl s_client -connect $(host jira.inside.nokiasiemensnetworks.com):443 -bugs' output to your ticket.

mahao · 06-28-2011, 08:50 PM

Quote:

Originally Posted by unSpawn

You could try using Firefox with a clean profile without any plugins. Else try running in safe mode. Else try another browser. Else this might be a server side error, and since this is restricted access anyway, I think you best contact Nokia Siemens Networks (NSN) Internet Support in which case you should review connection instructions you've gotten and maybe add 'openssl s_client -connect $(host jira.inside.nokiasiemensnetworks.com):443 -bugs' output to your ticket.

Here is it:

[root@esjirt62 ~]# openssl s_client -connect jira.inside.nokiasiemensnetworks.com:443 -bugs
CONNECTED(00000003)
depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify return:1
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
verify return:1
depth=0 /C=FI/ST=Espoo/L=Espoo/O=Nokia Siemens Networks/OU=NSN IT/CN=jira.inside.nokiasiemensnetworks.com
verify return:1
---
Certificate chain
0 s:/C=FI/ST=Espoo/L=Espoo/O=Nokia Siemens Networks/OU=NSN IT/CN=jira.inside.nokiasiemensnetworks.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
SOME HIDDEN CONTENT BY THE AUTHOR
-----END CERTIFICATE-----
subject=/C=FI/ST=Espoo/L=Espoo/O=Nokia Siemens Networks/OU=NSN IT/CN=jira.inside.nokiasiemensnetworks.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4229 bytes and written 284 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
Session-ID-ctx:
Master-Key: SOME HIDDEN CONTENT BY THE AUTHOR
Key-Arg : None
Krb5 Principal: None
Start Time: 1309312078
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

unSpawn · 06-30-2011, 02:16 PM

I've given you three options which you didn't post back about. Maybe read my post again? You did post output we (or at least I) don't want to see. I told you to send such output to NSN Internet Support.