If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

ssl_error_bad_mac_alert on big parameter POST

RESOLVED INCOMPLETE

Status

()

Core
Security
RESOLVED INCOMPLETE
3 years ago
a year ago

People

(Reporter: Solomon Pi, Unassigned)

Tracking

36 Branch
x86
Mac OS X
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150305021524

Steps to reproduce:

In a secure environment, create a POST call (form-urlencoded) with a big parameter.
For testing purposes try here: https://mastiff.apifortress.com/t/


Actual results:

the POST execution returns a ssl_error_bad_mac_alert
This event happens only with big sized parameters and only on Firefox.
We suspect this is happening only of Firefox 36, but we're unsure


Expected results:

Request should execute without problems

Comment 1

3 years ago
Regression range:
good=2014-10-31
bad=2014-11-01
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e0b505a37b1c&tochange=b695d9575654

Maybe a security issue.
Component: Untriaged → Networking: HTTP
Flags: needinfo?(mcmanus)
Keywords: regression, testcase
Product: Firefox → Core

Updated

3 years ago
Flags: needinfo?(dkeeler)
Thanks for the awesome one click STR.

The server sends us Bad Record MAC.

Its interesting that in at least one log I see that the HTTP transaction that has this problem is carried on a reused persistent connection where the first 2 transactions have gone fine.

keeler is the right triage.
Flags: needinfo?(mcmanus)

Updated

3 years ago
Component: Networking: HTTP → Security
hg bisect says https://hg.mozilla.org/mozilla-central/rev/2c7ca0dc4155 is the first bad revision, which is from bug 1088915.
Blocks: 1088915
Flags: needinfo?(dkeeler)
Depends on: 1139778
Bug 1088915 essentially disabled RC4, meaning that instead of TLS_RSA_WITH_RC4_128_SHA, the server picks TLS_RSA_WITH_3DES_EDE_CBC_SHA. There appears to be a bug in the server's implementation or use of that cipher suite, because I can reproduce the bad MAC error using curl compiled with openssl:

curl 'https://mastiff.apifortress.com/t/' 'https://mastiff.apifortress.com/t/post.html' --data 'foo=bar' 'https://mastiff.apifortress.com/t/post.html' --data `python -c "print 'a'*2000"` --ciphers DES-CBC3-SHA --keepalive-time 10 -v -v -v

This results in a lot of output (I'll attach the full log), but the important part is this:

* Connection #1 to host mastiff.apifortress.com left intact
* Found bundle for host mastiff.apifortress.com: 0x7cf900
* Re-using existing connection! (#1) with host mastiff.apifortress.com
* Connected to mastiff.apifortress.com (108.168.157.215) port 443 (#1)
> POST /t/post.html HTTP/1.1
> User-Agent: curl/7.41.0
> Host: mastiff.apifortress.com
> Accept: */*
> Content-Length: 2008
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
> 
* TLSv1.2, TLS alert, Server hello (2):
* SSL read: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac, errno 0
* Connection died, retrying a fresh connect
* Closing connection 1
Created attachment 8579466 [details]
curl log
David; I cannot reproduce the ssl_error_bad_mac_alert
Version 	49.0a1
Build ID 	20160602030220
User Agent 	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Please advise if I can close or leave open and further assist.
Flags: needinfo?(dkeeler)
Keywords: regression, testcase
Looks like the server was updated (in any case, the testcase isn't available any longer). Reporter - feel free to reopen if this is still an issue.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Flags: needinfo?(dkeeler)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.