[gnutls-devel] session resumption broken when tickets and db is enabled
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Aug 25 11:21:08 CEST 2013
On Sun, 18 Aug 2013 19:47:04 +0200
Stefan Bühler <stbuehler at lighttpd.net> wrote:
> Hi again :)
>
> lighttpd2/mod_gnutls supports session db and tickets by default; a
> nginx proxy had problems connecting:
>
> SSL_do_handshake() failed (SSL: error:1408F119:SSL
> routines:SSL3_GET_RECORD:decryption failed or bad record mac) while
> SSL handshaking to upstream
>
> The first two requests were fine, the 3rd and later failed.
> Debugging wasn't easy, because...
> Bug 1:
> gnutls-serv doesn't support tickets, although there is a parameter
> "--noticket". Please remove the stupid #ifdef magic ...
Done.
> echo | openssl s_client -connect 127.0.0.1:5556 -sess_out
> tmp.session echo | openssl s_client -connect 127.0.0.1:5556 -sess_in
> tmp.session echo | openssl s_client -connect 127.0.0.1:5556 -sess_in
> tmp.session [...]
> 140720615724712:error:1408F119:SSL
> routines:SSL3_GET_RECORD:decryption failed or bad record
> mac:s3_pkt.c:484: (Also now gnutls-serv is burning my cpu)
> That shows something is broken. When --nodb or --noticket is added to
> gnutls-serv, everything is fine.
Thank you. I've solved it a bit differently than your patch but the
result should be the same.
regards,
Nikos
More information about the Gnutls-devel
mailing list