166931 - HTTP SSL "Incorrect Message Authentication Code" error

Status: VERIFIED DUPLICATE of bug 162752

(Core Graveyard :: Security: UI, defect, P3)

Description

[Sean Harding]

This is an offshoot from Bug �162752 which concerns incorrect MAC errors in IMAPS.

When going to
https://www.asecureserver.com/cgi-bin/makepage.cgi?orderforma.html, I get a
dialog box with the text: "www.asecureserver.com received a message with
incorrect Message Authentication Code. If the error occurs frequently, contact
the website administrator."

The URL loads correctly in IE and wget on the same machine.

This is Mozilla build 2002082909 on Mac OS X 10.2.

Comment 1

[Greg K.]

Confirmed using FizzillaCFM/2002090508 on 10.1.5. It works fine using
Chimera/2002090505.

Comment 2

[Arno Hollosi]

Confirmed with Moz1.2a (20020910) under Windows using a different server.

Comment 3

[John Unruh]

A workaround is to disable TLS. Edit>Prefs>Privacy>SSL

Comment 4

[Evan Hoffman]

I get the same on Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1)
Gecko/20020826 on a different server.  It's odd because the server was working
earlier today, and now it's not, and I haven't changed anything on the server or
in Mozilla (though I may have checked 'save this certificate', which is the
standard snakeoil.dom dummy cert apache/modssl creates).

Comment 5

[Evan Hoffman]

I tried disabling TLSv1 as junruh suggested, but that did not help.  I checked
the ssl_error_log on the server and found this bit of helpful info:

[Wed Sep 18 16:03:51 2002] [error] OpenSSL: error:1408F071:SSL
routines:SSL3_GET_RECORD:bad mac decode [Hint: Browser still remembered details
of a re-created server certificate?]
[Wed Sep 18 16:03:56 2002] [error] mod_ssl: SSL handshake failed (server
bart.tajmahome.com:443, client 63.143.133.130) (OpenSSL library error follows)
[Wed Sep 18 16:03:56 2002] [error] OpenSSL: error:1408F071:SSL
routines:SSL3_GET_RECORD:bad mac decode [Hint: Browser still remembered details
of a re-created server certificate?]
[Wed Sep 18 16:18:10 2002] [error] mod_ssl: SSL handshake failed (server
bart.tajmahome.com:443, client 63.143.133.130) (OpenSSL library error follows)

As openssl is suggesting, I think this is what's happening, since I'm using the
www.snakeoil.dom certificate - but I'm using different snakeoil.dom certificates
on different sites, as on each server I run "make certificate type=dummy" when
installing apache.  As I said above, this problem only started happening when I
clicked "remember this cert".  I tried to go in and delete the cert, but when I
clicked delete, nothing happened, and it looks like they're stored in a binary
file so I can't manually delete the cert.  Is there another way?  

For the time being I guess I'll just make a different cert for this server.

Comment 6

[John Unruh]

With the latest nightly build from www.mozilla.org, you can delete web site 
certs.

Comment 7

[Marius Kotsbak]

I also see this at "http://www.bokkilden.no". Press the green button named "LOGG
INN" on the left frame.

This error appears on 1.2a, but not on 1.1.

Comment 8

[John Unruh]

The site mentioned above is TLS intolerant - IBM_HTTP_Server/1.3.6.3
Apache/1.3.7-dev (Win32). Try disabling TLS.

Comment 9

[Evan Hoffman]

I managed to get around the certificate problem I mentioned above by deleting
the www.snakeoil.dom certificate.  However, on another server, I get the
"Incorrect Message Authentication Code" error.  I am using Mozilla/5.0 (Windows;
U; Windows NT 5.0; en-US; rv:1.2a) Gecko/20020910.

Following is the portion of the ssl_engine_log from when I try to connect with
Mozilla:

[25/Sep/2002 16:19:25 14609] [info]  Connection to child 0 established (server
secure.alexandivy.com:443, client 63.143.133.130)
[25/Sep/2002 16:19:25 14609] [info]  Seeding PRNG with 1160 bytes of entropy
[25/Sep/2002 16:19:25 14609] [error] SSL handshake failed (server
secure.alexandivy.com:443, client 63.143.133.130) (OpenSSL library error follows)
[25/Sep/2002 16:19:25 14609] [error] OpenSSL:
error:1408F455:lib(20):func(143):reason(1109)

Following is the section of the log when I connect with IE6:

[25/Sep/2002 16:20:24 14616] [info]  Connection to child 6 established (server
secure.alexandivy.com:443, client 63.143.133.130)
[25/Sep/2002 16:20:24 14616] [info]  Seeding PRNG with 1160 bytes of entropy
[25/Sep/2002 16:20:24 14616] [info]  Connection: Client IP: 63.143.133.130,
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[25/Sep/2002 16:20:24 14616] [info]  Initial (No.1) HTTPS request received for
child 6 (server secure.alexandivy.com:443)
[25/Sep/2002 16:20:24 14616] [info]  Connection to child 6 closed with unclean
shutdown (server secure.alexandivy.com:443, client 63.143.133.130)

Someone above had suggested disabling TLS in Mozilla; I have done that and it
still does not work.  The last time this happened, I uninstalled Mozilla,
deleted the remaining files in the Application Data directory, and reinstalled
and it worked.  I'm going to try phoenix now and see if that works, since I
don't feel like uninstalling and reinstalling Mozilla again.

Comment 10

[Evan Hoffman]

I should have added that when I connected with IE6, it worked fine.  Also, I
just tried with "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b)
Gecko/20020923 Phoenix/0.1" and it seems to work fine.

Comment 11

[Philippe Mignard]

The nightly versions compiled before september seem to work well. A version
dated of 15 august works well. Why did the bug appeared? Maybe analysing chenges
in the source could help...

Comment 12

[John Unruh]

Sticking with the original bug, marking this a dupe of bug 162752 - TLS 
intolerant server problem.
Evan Hoffman, your problem appears to be a duplicate of bug 169696 and not 
related to TLS intolerance.

*** This bug has been marked as a duplicate of 162752 ***

Comment 13

[John Unruh]

Verified.

Comment 14

[Kai Engert (:KaiE:)]

I tested the patch from bug 163605 will fix this problem.