Closed Bug 1144065 Opened 5 years ago Closed 4 years ago

ssl_error_bad_mac_alert on big parameter POST


(Core :: Security, defect)

36 Branch
Not set





(Reporter: theirish81, Unassigned)




(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150305021524

Steps to reproduce:

In a secure environment, create a POST call (form-urlencoded) with a big parameter.
For testing purposes try here:

Actual results:

the POST execution returns a ssl_error_bad_mac_alert
This event happens only with big sized parameters and only on Firefox.
We suspect this is happening only of Firefox 36, but we're unsure

Expected results:

Request should execute without problems
Regression range:

Maybe a security issue.
Component: Untriaged → Networking: HTTP
Flags: needinfo?(mcmanus)
Keywords: regression, testcase
Product: Firefox → Core
Flags: needinfo?(dkeeler)
Thanks for the awesome one click STR.

The server sends us Bad Record MAC.

Its interesting that in at least one log I see that the HTTP transaction that has this problem is carried on a reused persistent connection where the first 2 transactions have gone fine.

keeler is the right triage.
Flags: needinfo?(mcmanus)
Component: Networking: HTTP → Security
hg bisect says is the first bad revision, which is from bug 1088915.
Blocks: 1088915
Flags: needinfo?(dkeeler)
Depends on: 1139778
Bug 1088915 essentially disabled RC4, meaning that instead of TLS_RSA_WITH_RC4_128_SHA, the server picks TLS_RSA_WITH_3DES_EDE_CBC_SHA. There appears to be a bug in the server's implementation or use of that cipher suite, because I can reproduce the bad MAC error using curl compiled with openssl:

curl '' '' --data 'foo=bar' '' --data `python -c "print 'a'*2000"` --ciphers DES-CBC3-SHA --keepalive-time 10 -v -v -v

This results in a lot of output (I'll attach the full log), but the important part is this:

* Connection #1 to host left intact
* Found bundle for host 0x7cf900
* Re-using existing connection! (#1) with host
* Connected to ( port 443 (#1)
> POST /t/post.html HTTP/1.1
> User-Agent: curl/7.41.0
> Host:
> Accept: */*
> Content-Length: 2008
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
* TLSv1.2, TLS alert, Server hello (2):
* SSL read: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac, errno 0
* Connection died, retrying a fresh connect
* Closing connection 1
David; I cannot reproduce the ssl_error_bad_mac_alert
Version 	49.0a1
Build ID 	20160602030220
User Agent 	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Please advise if I can close or leave open and further assist.
Flags: needinfo?(dkeeler)
Keywords: regression, testcase
Looks like the server was updated (in any case, the testcase isn't available any longer). Reporter - feel free to reopen if this is still an issue.
Closed: 4 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.