Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: "bad record MAC" error on TLS Handshake - Go1.2 bug, regression from Go1.1 #7085

Closed
gopherbot opened this issue Jan 9, 2014 · 6 comments
Closed

crypto/tls: "bad record MAC" error on TLS Handshake - Go1.2 bug, regression from Go1.1 #7085

gopherbot opened this issue Jan 9, 2014 · 6 comments
Labels
FrozenDueToAge

Comments

@gopherbot
Copy link

by manoj.dayaram@moovweb.com:

I'm getting a "bad record MAC" error on TLS Handshake on a connection to
certain sites.  This used to be fine in Go1.1, but Go1.2 introduced this error.

What steps will reproduce the problem?
If possible, include a link to a program on play.golang.org.
1. Copy/Paste this go program locally: http://play.golang.org/p/4P2kxtIcBf (playground
doesn't have necessary libs)
2.  Compile using Go1.2
3.  Run, you will get the "bad record Mac" error.
4.  Compile same program using Go1.1
5. Run, you will see "Success!" printed out.

What is the expected output?
"Success!"

What do you see instead?
"local error: bad record MAC"

Which compiler are you using (5g, 6g, 8g, gccgo)?
go build

Which operating system are you using?
Tested on Darwin and Linux.

Which version are you using?  (run 'go version')
Go1.2

Please provide any additional information below.
The play.golang.org example linked is using "clubs2qa.scholastic.com" as the
example site that exploits this issue.  I'd like to note that browsing to the site on
Google Chrome shows that the certificate is valid and verified.
@gopherbot
Copy link
Author

Comment 1 by manoj.dayaram@moovweb.com:

Update, tried these steps with the latest Go code compiled off of +8a7395c26adc and the
issue still persists.

@gopherbot
Copy link
Author

Comment 2 by manoj.dayaram@moovweb.com:

Through process of elimination, I've found that the issue was introduced from this
commit: https://code.google.com/p/go/source/detail?r=4e008dc85dc8

@bradfitz
Copy link
Contributor

bradfitz commented Jan 9, 2014

Comment 3:

Owner changed to @agl.

Status changed to Accepted.

@gopherbot
Copy link
Author

Comment 4 by manoj.dayaram@moovweb.com:

This is a blocking issue for us, and if possible, we would really appreciate a patch
that we could apply to our local go1.2 version that would fix the issue.  
I know that releasing something like Go1.2.1 is out of the question and this fix will
most likely go into 1.3, but we'd really appreciate something that we could apply
immediately if possible.

@agl
Copy link
Contributor

agl commented Jan 10, 2014

Comment 5:

It's a server bug. Specifically it's matching the version number in the RSA PMS with its
version, not the client's version. OpenSSL and NSS also fail to connect.
It's easy to work around however: you can set MaxVersion in tls.Config to
tls.VersionTLS10. If you have any contacts with the server operators however you should
really encourage them to update:
https://www.ssllabs.com/ssltest/analyze.html?d=clubs2qa.scholastic.com

Status changed to WorkingAsIntended.

@gopherbot
Copy link
Author

Comment 6 by manoj.dayaram@moovweb.com:

I see, thanks for the help Adam.  That workaround is actually quite useful.  We'll see
what are options are from there.
Thanks again.

@golang golang locked and limited conversation to collaborators Jun 25, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bradfitz @agl @gopherbot