We're updating the issue view to help you get more done. 

javax.net.ssl.SSLException: Received fatal alert: bad_record_mac

Description

Had an issue with a user unable to log in, put the server into debug mode and captured this

The client in debug just notes this:

I removed the user from a shared roster and the login now works. Wonder if openfire is generating some bad xml or something, hmmm

Environment

Linux 64bit RHEL6 Sun java 1.6.0

Acceptance Test - Entry

None

Activity

Show:
Brian Menges
August 5, 2013, 4:04 PM
Edited

By the by, my environment is Debian 7.1 Wheezy using the openfire_3.8.2_all.deb installer.

The javax.net.ssl.SSLException was reported for me in versions 3.8.0, 3.8.1, and 3.8.2. When I loaded 3.7.1 and finally got logged in, no one could see a roster, despite being connected. Unsure if the error was present during that version in my environment, however I do know for a fact that it was present in all the 3.8.x versions.

I've used the following jvms:
openjdk-6-jre:amd64 (6b27 and 6b25)
jre1.7.0_25 (Oracle Java)

Currently I am running openfire under jre1.7.0_25

Daryl Herzmann
September 12, 2013, 2:49 PM

http://community.igniterealtime.org/message/232710 offers an interesting assessment:

SSLHandler

Guus is going to check more into this soon!

Daryl Herzmann
September 12, 2013, 7:41 PM

My first pass of testing trunk for this bug looks promising. I was able to construct a roster stanza of 16113 bytes and the client was not disconnected. With 3.8.2, this bug would occur.

Guus der Kinderen
September 12, 2013, 7:49 PM

I replaced the MINA SSL filter with a version that is based on the source of the latest 1.1 branch of MINA (which we already used), but patched with a fix similar to the one described above and in DIRMINA-914. Daryl tested the new Openfire build, and confirmed that the issue appears to be solved.

I invite you all to try out the fix. It can be obtained through this Bamboo build: http://bamboo.igniterealtime.org/browse/OPENFIRE-TRUNK/latest (use build number 393 or later). The nightlies that are available on igniterealtime.org will be updated tonight.

Daryl Herzmann
November 15, 2013, 10:34 PM

I'm gonna mark this as resolved. I was finally able to get this pushed to production yesterday and it resolved the issue.

Assignee

Guus der Kinderen

Reporter

Daryl Herzmann

Labels

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Major
Configure