[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Cannot connect with GnuTLS (OpenSSL is OK) "Decryption has failed" "Bad
|
From: |
Stephane Bortzmeyer |
|
Subject: |
Cannot connect with GnuTLS (OpenSSL is OK) "Decryption has failed" "Bad record MAC" |
|
Date: |
Mon, 7 Jan 2013 22:16:52 +0100 |
|
User-agent: |
Mutt/1.5.20 (2009-06-14) |
After I renewed a X.509 certificate, I can no longer connect to
<https://svn.generic-nic.net/NIC-generique/iana/whois/> (which is an
Apache using GnuTLS) with a client using GnuTLS (clients using OpenSSL
are OK).
% openssl s_client -connect svn.generic-nic.net:443
...
SSL handshake has read 1556 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
...
But:
% gnutls-cli -d 4 -p 443 svn.generic-nic.net
...
|<4>| REC[0x996de20]: Expected Packet[3] Change Cipher Spec(20) with length: 1
|<4>| REC[0x996de20]: Received Packet[3] Alert(21) with length: 2
|<2>| ASSERT: gnutls_cipher.c:204
|<4>| REC[0x996de20]: Decrypted Packet[3] Alert(21) with length: 2
|<4>| REC[0x996de20]: Alert[2|20] - Bad record MAC - was received
|<2>| ASSERT: gnutls_record.c:695
|<2>| ASSERT: gnutls_record.c:1048
|<2>| ASSERT: gnutls_handshake.c:2525
|<2>| ASSERT: gnutls_handshake.c:2704
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [20]: Bad record MAC
*** Handshake has failed
A client using GnuTLS (curl) fails in the same way. A client using
OpenSSL (wget) works.
On the server, I see:
[Mon Jan 07 22:04:13 2013] [error] [client
2a01:e35:8bd9:8bb0:9f7:af8e:5649:f1ea] GnuTLS: Handshake Failed (-24)
'Decryption has failed.'
Both the client and the server are Debian stable systems, GnuTLS 2.8.6
and mod-gnutls 0.5.9. But it worked before I changed the certificate.