KB Article #178935

Random SSL failures in connections using DH ciphers

Problem

The error observed in the API Gateway trace is "bad record mac [fatal]" which occurs sometimes. This will be from receiving a request on a HTTPS listener interface as seen in the data trace below.

DEBUG 25/Sep/2017:14:59:48.641 [8c81:000000000000000000000000] incoming call on <span class="code-keyword">interface</span> *:443 from 192.168.1.75:64575 
DEBUG 25/Sep/2017:14:59:48.641 [8c81:000000000000000000000000] <span class="code-keyword">new</span> connection 0x7feb540249f0, settings source incoming <span class="code-keyword">interface</span> (allow 1.1=yes, idleTimeo 
ut=60000, activeTimeout=60000, maxConnections=128, contentLength: req=no, res=no) 
DEBUG 25/Sep/2017:14:59:48.641 [8c81:000000000000000000000000] option <span class="code-quote">"nosslv2"</span> enabled <span class="code-keyword">for</span> ssl connection 
DEBUG 25/Sep/2017:14:59:48.641 [8c81:000000000000000000000000] option <span class="code-quote">"nosslv3"</span> enabled <span class="code-keyword">for</span> ssl connection 
DEBUG 25/Sep/2017:14:59:48.641 [8c81:000000000000000000000000] push SSL protocol on to connection 
DATA 25/Sep/2017:14:59:48.641 [8c81:000000000000000000000000] [SSL_accept, 0x6000] before/accept initialization. 
DEBUG 25/Sep/2017:14:59:48.641 [8c81:000000000000000000000000] No SSL host name provided, defaulting to certificate: \{ subject: /C=US/ST=My State/L=My Town/O=MyCompany/CN=My Domain }. 
DATA 25/Sep/2017:14:59:48.641 [8c81:000000000000000000000000] [SSL_accept, 0x2110] SSLv3 read client hello A. 
DATA 25/Sep/2017:14:59:48.641 [8c81:000000000000000000000000] [SSL_accept, 0x2130] SSLv3 write server hello A. 
DATA 25/Sep/2017:14:59:48.641 [8c81:000000000000000000000000] [SSL_accept, 0x2140] SSLv3 write certificate A \{ subject: /C=US/ST=My State/L=My Town/O=MyCompany/CN=My Domain }. 
DATA 25/Sep/2017:14:59:48.643 [8c81:000000000000000000000000] [SSL_accept, 0x2150] SSLv3 write key exchange A. 
DATA 25/Sep/2017:14:59:48.643 [8c81:000000000000000000000000] [SSL_accept, 0x2160] SSLv3 write certificate request A. 
DATA 25/Sep/2017:14:59:48.643 [8c81:000000000000000000000000] [SSL_accept, 0x2100] SSLv3 flush data. 
DATA 25/Sep/2017:14:59:48.658 [8c81:000000000000000000000000] [SSL_accept, 0x2180] SSLv3 read client certificate A. 
DATA 25/Sep/2017:14:59:48.658 [8c81:000000000000000000000000] [SSL_accept, 0x2190] SSLv3 read client key exchange A. 
DATA 25/Sep/2017:14:59:48.658 [8c81:000000000000000000000000] [SSL_accept, 0x21a0] SSLv3 read certificate verify A. 
ERROR 25/Sep/2017:14:59:48.672 [8c81:000000000000000000000000] [SSL alert write 0x214, 0x21c0]: bad record mac [fatal].* 
ERROR 25/Sep/2017:14:59:48.672 [8c81:000000000000000000000000] [SSL_accept, 0x21c0]: error - SSLv3 read finished A.* 
DEBUG 25/Sep/2017:14:59:48.672 [8c81:000000000000000000000000] destroying connection 0x7feb540249f0 with transaction (nil) 
DEBUG 25/Sep/2017:14:59:48.672 [8c81:000000000000000000000000] delete connection 0x7feb540249f0 
ERROR 25/Sep/2017:14:59:48.672 [8c81:000000000000000000000000] error handling connection: SSL protocol error 
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac, source location: s3_pkt.c:535*


A Wireshark/tcpdump of the connection will show the SSL handshake being terminated after an TLSv1 encrypted Alert (Level: Fatal, Description Bad Record MAC). This occurs after "Change Cipher Spec".

Resolution

There is a known problem with DH ciphers in Java 6 and Java 7 which has been fixed in

a) Java 8

b) Java 7 u6 (b06) http://bugs.java.com/view_bug.do?bug_id=2222432

c) Java 6 u115 (b32) (http://bugs.java.com/view_bug.do?bug_id=8154780)

How the bug manifests itself (description from Stack Overflow):

https://stackoverflow.com/questions/40964961/intermittent-javax-net-ssl-failure-bad-record-mac

Fix described in Java 6u115 b32:

http://www.oracle.com/technetwork/java/javase/overview-156328.html


7146728security-libsjavax.cryptoInconsistent length for the generated secret using DH key agreement impl from SunJCE and PKCS11

Note that an Oracle account is required to get the update to Java 6u115:

From http://www.oracle.com/technetwork/java/javase/downloads/index.html

"Java SE 7 and Java SE 6 updates

Updates for Java SE 7 released after April 2015, and updates for Java SE 6 released after April 2013 are only available to Oracle Customers through My Oracle Support (requires support login). "

It is recommended that any Java 1.6 client is upgraded to at least Java 6 u115b32 to prevent this error.

If it is not possible to upgrade the version of Java as detailed above then the only other possibility is to remove

DH/DHE/ECDH/ECDHE ciphers in API Gateway or Java security properties for clients:

jdk.tls.disabledAlgorithms=SSLv3, DH, DHE, ECDH, ECDHE

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.