Error: “Peer sent alert: Alert Fatal: bad record mac” in SSL handshake using TIBCO Business Works (BW) activities such as HTTP Request Response.
Article ID: KB0091076
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix BusinessWorks | - |
| Not Applicable | - |
Description
Resolution:
Environment:
==========
ALL
Symptoms:
========
The SSL handshake log has the following error (SSL handshake log can be enabled by putting “Trace.Task.*=true” in deployed application.tra):
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ssl_debug(10): Received server_hello_done handshake message.
ssl_debug(10): Sending client_key_exchange handshake message (1024 bit)...
ssl_debug(10): Sending change_cipher_spec message...
ssl_debug(10): Sending finished message...
ssl_debug(10): Received alert message: Alert Fatal: bad record mac
ssl_debug(10): SSLException while handshaking: Peer sent alert: Alert Fatal: bad record mac
ssl_debug(10): Shutting down SSL layer...
iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: bad record mac
at iaik.security.ssl.e.a(Unknown Source)
at iaik.security.ssl.f.f(Unknown Source)
at iaik.security.ssl.f.d(Unknown Source)
at iaik.security.ssl.e.c(Unknown Source)
at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
at iaik.security.ssl.SSLTransport.a(Unknown Source)
at iaik.security.ssl.SSLTransport.renegotiate(Unknown Source)
at iaik.security.ssl.SSLSocket.renegotiate(Unknown Source)
at com.tibco.security.ssl.A.o0OO.doHandshake(SSLClientImpl.java:322)
at com.tibco.plugin.share.security.TIBCryptClientSocketFactory.createSocket(TIBCryptClientSocketFactory.java:98)
at com.tibco.plugin.share.security.TIBCryptClientSocketFactory.createSocket(TIBCryptClientSocketFactory.java:163)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.tibco.plugin.share.http.client.JakartaHttpTransportDriver$RequestExecutor.run(JakartaHttpTransportDriver.java:232)
at com.tibco.pe.util.ThreadPool$ThreadPoolThread.run(ThreadPool.java:99)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Cause:
====
The Bad Record MAC error is thrown when SSL receives a record with an incorrect Message Authentication Code (MAC). This alert might occur due to a problem in the client or server implementation (entrust or J2SE) or possible network packet corruption. Generally this error is seen when there is a difference in SSL versions between client and server. (Example: Server is using SSLV1 but client is using TLSV1).
Resolution:
=======
If the error is reported while using security vendor as “Entrust”:
1). Upgrade to TRA version 5.7.4 or later. This is due to following bug in enttrusttoolkit:
SSL bad record mac alert during failed session resumption
When using strong ciphers such as RSA, the SSL/TLS client session resumption can fail with a bad record mac error if the server rejects the reconnect attempt. This will only occur if the negotiated protocol version from the initial connection is lower than the maximum protocol version. This release corrects this issue. (167625)
Environment:
==========
ALL
Symptoms:
========
The SSL handshake log has the following error (SSL handshake log can be enabled by putting “Trace.Task.*=true” in deployed application.tra):
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ssl_debug(10): Received server_hello_done handshake message.
ssl_debug(10): Sending client_key_exchange handshake message (1024 bit)...
ssl_debug(10): Sending change_cipher_spec message...
ssl_debug(10): Sending finished message...
ssl_debug(10): Received alert message: Alert Fatal: bad record mac
ssl_debug(10): SSLException while handshaking: Peer sent alert: Alert Fatal: bad record mac
ssl_debug(10): Shutting down SSL layer...
iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: bad record mac
at iaik.security.ssl.e.a(Unknown Source)
at iaik.security.ssl.f.f(Unknown Source)
at iaik.security.ssl.f.d(Unknown Source)
at iaik.security.ssl.e.c(Unknown Source)
at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
at iaik.security.ssl.SSLTransport.a(Unknown Source)
at iaik.security.ssl.SSLTransport.renegotiate(Unknown Source)
at iaik.security.ssl.SSLSocket.renegotiate(Unknown Source)
at com.tibco.security.ssl.A.o0OO.doHandshake(SSLClientImpl.java:322)
at com.tibco.plugin.share.security.TIBCryptClientSocketFactory.createSocket(TIBCryptClientSocketFactory.java:98)
at com.tibco.plugin.share.security.TIBCryptClientSocketFactory.createSocket(TIBCryptClientSocketFactory.java:163)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.tibco.plugin.share.http.client.JakartaHttpTransportDriver$RequestExecutor.run(JakartaHttpTransportDriver.java:232)
at com.tibco.pe.util.ThreadPool$ThreadPoolThread.run(ThreadPool.java:99)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Cause:
====
The Bad Record MAC error is thrown when SSL receives a record with an incorrect Message Authentication Code (MAC). This alert might occur due to a problem in the client or server implementation (entrust or J2SE) or possible network packet corruption. Generally this error is seen when there is a difference in SSL versions between client and server. (Example: Server is using SSLV1 but client is using TLSV1).
Resolution:
=======
If the error is reported while using security vendor as “Entrust”:
1). Upgrade to TRA version 5.7.4 or later. This is due to following bug in enttrusttoolkit:
SSL bad record mac alert during failed session resumption
When using strong ciphers such as RSA, the SSL/TLS client session resumption can fail with a bad record mac error if the server rejects the reconnect attempt. This will only occur if the negotiated protocol version from the initial connection is lower than the maximum protocol version. This release corrects this issue. (167625)
>>>>>>>>>>>>>>>>>>>>>>>>>>>
-OR-
2). Use the security vendor as “j2se”.
-Dweblogic.security.SSL.protocolVersion=TLS1—Only TLS V1.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=ALL—This is the default behavior.
>>>>>>>>>>>>>>>>>>>>>
If you see the error even after changing the security vendor to “j2se” check if there is a difference in SSL versions between client and server. If there is difference in security vendor, make the change in the server. For example, if you are using the Weblogic server then the following changes would be required:
-Dweblogic.security.SSL.protocolVersion=TLS1—Only TLS V1.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=ALL—This is the default behavior.
>>>>>>>>>>>>>>>>>>>>>
Issue/Introduction
Error: “Peer sent alert: Alert Fatal: bad record mac” in SSL handshake using TIBCO Business Works (BW) activities such as HTTP Request Response.
Feedback
Yes
No
Powered by
