javax.net.ssl.SSLException: Received fatal alert: bad_record_mac

[pawelantczak]

Hello. I'm getting:

javax.net.ssl.SSLException: Received fatal alert: bad_record_mac

when connection to url:

https://www.siodemka.com/monitoring-przesylek

It seems like a known JRE bug. My server runs recent java. Is there a chance, that this can be fixed within jodd?

[igr]

Sure, I will check it out (i think ive already deal with this error in the past), just please give me few days, have some offline things to do

Also, would you be so kind to post your code, as my quick test is working with both HttpBrowser and HttpRequest, on JDK 1.7.0_45? The workaround should be:

socket.setEnabledProtocols(new String[]{"SSLv3"});

however, I would like to be able to reproduce it locally. Maybe its also OS related, so please let me know yours :)

Thank you!

[pawelantczak]

Hello. OS: Solaris x86 5.11 JVM: Java(TM) SE Runtime Environment 1.7.0_51-b13 Java HotSpot(TM) Server VM) Code is pretty straightforward: https://gist.github.com/pawelantczak/2240295d186dfe538b40

[igr]

Ok, I was able to reproduce it with the following code:

    HttpRequest httpRequest = HttpRequest.get("https://www.siodemka.com/monitoring-przesylek");
    httpRequest.open();
    SocketHttpConnection httpConnection =
            (SocketHttpConnection) httpRequest.httpConnection();
    SSLSocket socket = (SSLSocket) httpConnection.getSocket();
    socket.setEnabledProtocols(new String[] {"SSLv3"});   // !!!
    HttpResponse httpResponse = httpRequest.send();

The difference is the line marked above, that enables SSLv3 protocol. When it is on, there is an exception, when it is off, the exception is gone. Just to check - are you aware that maybe this protocol is turned on for you by default? Anyhow, I am working on solving it...

(in other words, this is an issue with with ssl3 protocol:)

[igr]

This also looks like this Java bug. What is the Java version of your client, from where you are accessing the server? I guess that v1.7.0_51 is the server version?

[pawelantczak]

Hello. I'm getting error from Spring based app, running on Java version mentioned above. This is default config, https.protocols is not overridden.

[igr]

Ok, here is what I have found.

• On Java 1.7.0_45 things should work without any change. However, if SSLv3 is enabled, there is exception, due to java bug (i suppose).
• On Java 1.7.0_51 it's opposite: you must enable the SSLv3 as described above.

Would you be so kind to quickly test above code (with enabled SSL3, as you have 1.7.0_51) and let me if that worked for you? Because, this is what worked for me :) If this is so, I will make easier to enable different protocols for https.

Thank you in advance!!!

[igr]

Huh, today I have different results for Java 1.7.0_51, it works with both SSL3 and default. Anyway, please try the code snippet above to see if that make any change for you. Thank you!

[igr]

Just wonder, have you tried example above or enabling the SSLv3 on client?

[pawelantczak]

I will do this for sure. I didn't have time till now. Sorry.

[igr]

Hey no problem at all :) Take your time !

[pawelantczak]

Hello. Checked. Adding sslSocket.setEnabledProtocols(new String[]{"SSLv3"}); done the trick.

[igr]

Awesome! Thank you! I will try to improve ConnectionProvider to make it easier to set such things at least for common features.

[pawelantczak]

Great. Thanks! My first try was to add -Dhttps.protocols="SSLv3" to JVM. Maybe jodd can try to use this value if it's set?

[igr]

Sure, make sense, good idea!

[ecki]

BTW: https://bugs.openjdk.java.net/browse/JDK-4615819 It is a known java client bug - it calculates the mac with the actual protcol negotiated not the one offered. This was done for compatibility with some servers. not offering TLS is therefore the solution (and a security risk).

[igr]

Thank you for sharing!