Problem with ksslcfg port
Bond, Timothy
Tim.Bond at softwareag.com
Wed Jun 4 13:22:42 PDT 2008
Hi,
I'm trying to test out the kssl facility on a new T5220 box. It's
running a recent Solaris 10 version (u5 I think).
I've used openssl engine and the cryptoadm command to make sure the
crypto accelerator is working.
I setup a port using the ksslcfg command. Port 8080 is an HTTP server.
# ksslcfg create -f pem -i /export/home/s71/s71.pem -v -x 8080 s71-2
8443
The service seems to be happy:
online 9:15:25 svc:/network/ssl/proxy:kssl-s71-2-8443
When I access to port using OpenSSL or firefox, I am getting a "Bad
record MAC" message.
$ openssl s_client -connect s71-s:8443
. . .
No client certificate CA names sent
---
SSL handshake has read 1100 bytes and written 304 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID:
73E6217ED934FAE992A6CAA8E491C2EFA6F2FE8F0F7CE30A0C0E3CB594741551
Session-ID-ctx:
Master-Key:
B102115579B9FBBA54885BD2694E482E1541E6E5DFF0069EE0BB8B5A54727D72
772BFF6E8BEC4BA9B86184AB6DA25898
Key-Arg : None
Start Time: 1212597297
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
get /
724:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
record
mac:s3_pkt.c:422:
I've tried disabling hash algorithms as that seems to be a problem in
some cases, but no luck so far. I'm confident the key/cert is correct
as I'm using it with another server on the same machine.
Ideas on what this might be?
-- Tim
More information about the crypto-discuss
mailing list