javax.net.ssl.SSLException: Received fatal alert: bad_record_mac

Description

Had an issue with a user unable to log in, put the server into debug mode and captured this

The client in debug just notes this:

I removed the user from a shared roster and the login now works. Wonder if openfire is generating some bad xml or something, hmmm

Environment

Linux 64bit RHEL6 Sun java 1.6.0

Activity

Show:
Daryl Herzmann
November 15, 2013, 10:34 PM

I'm gonna mark this as resolved. I was finally able to get this pushed to production yesterday and it resolved the issue.

Guus der Kinderen
September 12, 2013, 7:49 PM

I replaced the MINA SSL filter with a version that is based on the source of the latest 1.1 branch of MINA (which we already used), but patched with a fix similar to the one described above and in DIRMINA-914. Daryl tested the new Openfire build, and confirmed that the issue appears to be solved.

I invite you all to try out the fix. It can be obtained through this Bamboo build: http://bamboo.igniterealtime.org/browse/OPENFIRE-TRUNK/latest (use build number 393 or later). The nightlies that are available on igniterealtime.org will be updated tonight.

Daryl Herzmann
September 12, 2013, 7:41 PM

My first pass of testing trunk for this bug looks promising. I was able to construct a roster stanza of 16113 bytes and the client was not disconnected. With 3.8.2, this bug would occur.

Daryl Herzmann
September 12, 2013, 2:49 PM

http://community.igniterealtime.org/message/232710 offers an interesting assessment:

SSLHandler

Guus is going to check more into this soon!

Brian Menges
August 5, 2013, 4:04 PM
Edited

By the by, my environment is Debian 7.1 Wheezy using the openfire_3.8.2_all.deb installer.

The javax.net.ssl.SSLException was reported for me in versions 3.8.0, 3.8.1, and 3.8.2. When I loaded 3.7.1 and finally got logged in, no one could see a roster, despite being connected. Unsure if the error was present during that version in my environment, however I do know for a fact that it was present in all the 3.8.x versions.

I've used the following jvms:
openjdk-6-jre:amd64 (6b27 and 6b25)
jre1.7.0_25 (Oracle Java)

Currently I am running openfire under jre1.7.0_25

Fixed

Assignee

Guus der Kinderen

Reporter

Daryl Herzmann

Labels