Closed Bug 1144065 Opened 5 years ago Closed 4 years ago
_error _bad _mac _alert on big parameter POST
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:36.0) Gecko/20100101 Firefox/36.0 Build ID: 20150305021524 Steps to reproduce: In a secure environment, create a POST call (form-urlencoded) with a big parameter. For testing purposes try here: https://mastiff.apifortress.com/t/ Actual results: the POST execution returns a ssl_error_bad_mac_alert This event happens only with big sized parameters and only on Firefox. We suspect this is happening only of Firefox 36, but we're unsure Expected results: Request should execute without problems
Regression range: good=2014-10-31 bad=2014-11-01 http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e0b505a37b1c&tochange=b695d9575654 Maybe a security issue.
Thanks for the awesome one click STR. The server sends us Bad Record MAC. Its interesting that in at least one log I see that the HTTP transaction that has this problem is carried on a reused persistent connection where the first 2 transactions have gone fine. keeler is the right triage.
hg bisect says https://hg.mozilla.org/mozilla-central/rev/2c7ca0dc4155 is the first bad revision, which is from bug 1088915.
Bug 1088915 essentially disabled RC4, meaning that instead of TLS_RSA_WITH_RC4_128_SHA, the server picks TLS_RSA_WITH_3DES_EDE_CBC_SHA. There appears to be a bug in the server's implementation or use of that cipher suite, because I can reproduce the bad MAC error using curl compiled with openssl: curl 'https://mastiff.apifortress.com/t/' 'https://mastiff.apifortress.com/t/post.html' --data 'foo=bar' 'https://mastiff.apifortress.com/t/post.html' --data `python -c "print 'a'*2000"` --ciphers DES-CBC3-SHA --keepalive-time 10 -v -v -v This results in a lot of output (I'll attach the full log), but the important part is this: * Connection #1 to host mastiff.apifortress.com left intact * Found bundle for host mastiff.apifortress.com: 0x7cf900 * Re-using existing connection! (#1) with host mastiff.apifortress.com * Connected to mastiff.apifortress.com (22.214.171.124) port 443 (#1) > POST /t/post.html HTTP/1.1 > User-Agent: curl/7.41.0 > Host: mastiff.apifortress.com > Accept: */* > Content-Length: 2008 > Content-Type: application/x-www-form-urlencoded > Expect: 100-continue > * TLSv1.2, TLS alert, Server hello (2): * SSL read: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac, errno 0 * Connection died, retrying a fresh connect * Closing connection 1
David; I cannot reproduce the ssl_error_bad_mac_alert Version 49.0a1 Build ID 20160602030220 User Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 Please advise if I can close or leave open and further assist.
Looks like the server was updated (in any case, the testcase isn't available any longer). Reporter - feel free to reopen if this is still an issue.
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.