Closed Bug 372408 Opened 17 years ago Closed 8 years ago

_site_ received a message with incorrect Message Authentication Code.

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: darin.moz, Unassigned)

Details

Attachments

(2 files, 3 obsolete files)

sample error dialog #1 (png)
15.42 KB, image/png
Details
sample error dialog #2 (really png)
17.93 KB, image/png
Details 
_site_ received a message with incorrect Message Authentication Code.

A friend of mine is seeing this error with high frequency when using Firefox 2.0.0.2 on Mac OS X 10.4.  He sees it when visiting various HTTPS sites (banks, etc.).

It looks like this error dialog corresponds to PSMERR_BadMac.  I don't know what conditions lead to that error, but I doubt it is a server problem.
Without some URLs we'll never know what's going on.
I hadn't used Mac in a while.

I have a PowerPC Mac running OSX 10.4.8, just updated to the latest patches.

Using a fresh downloaded Firefox 2.0.0.2 I visited several secure sites, including my personal bank account, and it all worked fine, no error messages.

So a hint how to reproduce would be great.

If you're stuck, could your friend try to create a fresh profile?
I recently heard from another user who had strange problems, which did go away with a fresh profile.

If a fresh profile really helps, we'd be very much interested in the security db file.

He says the problem occurs sometimes when visiting: https://www.paypal.com/
Attached image sample error dialog #1 (obsolete) — 

    
    

    
  

      
      
      
      

        Attached image
          
        sample error dialog #2 (obsolete)
        — 
      

    


  

    
    

    
  


  
Re-Attaching as PNG so we can view from within the browser

        Attachment #257066 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached image
          
        sample error dialog #2 (png) (obsolete)
        — 
      

    


  
Re-Attaching as PNG so we can view from within the browser

        Attachment #257069 -
        Attachment is obsolete: true

    
    

    
  


  

        Attachment #257074 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 257073 [details]
sample error dialog #1 (png)

This bug's subject/summary says the problem is the error message:
" _site_ received a message with incorrect Message Authentication Code"
That's what we call a "bad MAC" error , MAC referring not to Macintosh,
but to Message Authentication Code"

SSL_ERROR_BAD_MAC_ALERT 	-12272 	
"SSL peer reports incorrect Message Authentication Code."

BUT This attachment's image reports error -12192, which is 

SSL_ERROR_DECRYPT_ERROR_ALERT 	-12192 	
"Peer reports failure of signature verification or key exchange."

That's NOT a "bad MAC" error.  Those two errors are very different.

So, now I have to ask: what error is this bug really about?

    
    

    
  
Nelson, as mentioned in comment 0, this bug is about the fact that a user experiences various SSL failures with various sites.

The two screenshots are two separate examples.

www.paypal.com gave SSL_ERROR_DECRYPT_ERROR_ALERT

securepics.ebaystatic.com gave SSL_ERROR_BAD_MAC_ALERT


    
    

    
  
Darin, Could you confirm that your friend owns at least 2 personal certificates?

I wonder if this bug is related to regression bug 370136.

If it is, your friend would see all success with Firefox 2.0.0.0
but problems with 2.0.0.1 and 2.0.0.2

The regression should be limited to web sites that require or optionally ask for a client authentication certificate.

It seems unlikely that www.paypal.com or securepics.ebaystatic.com are configured to ask for a client certificate - but maybe they are using a farm of servers, and at least one of them is configured to ask for it? (This would explain that the error is seen occasionally only).


For kicks I just ran 1000 connections to www.paypal.com, but the server never asked for client auth :-/


    
    

    
  
Re: comment 11, A problem with an SSL client auth cert could explain 
SSL_ERROR_DECRYPT_ERROR_ALERT, but not likely SSL_ERROR_BAD_MAC_ALERT.
But I think it's quite unlikely that paypal.com is requesting client auth.

Regarding comment 10, two sites with two separate errors should be two
separate bugs.

    
    

    
  
No client certs are installed on the system where this problem keeps occuring.

    
    

    
  
(In reply to comment #13)
> No client certs are installed on the system where this problem keeps occuring.

Thanks, this means that bug 370136 can not be the cause.

I'm cc'ing Glen, who might have some ideas on this, because this bug is reported to happen on a Mac.

While so far I haven't been able to reproduce this on my limited testing on Mac, I should try to run a stress test software against these the reported sites, in the hope I can reproduce.

Darin, we are currently completely in the dark, why these failure occurr, and we are unable to reproduce.
Could you possible assist your friend to get us a SSL connection logs of such a failing session?

There is a command line tool called "ssltap" which can be used for that.

QA Contact: psm

    
    

    
  
reassign bug owner.
mass-update-kaie-20120918
Assignee: kaie → nobody
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: