Forum Discussion
SSL error (ssl_error_bad_mac_read) between LTM and Firefox
We have noticed that recent versions of Firefox 36+ are frequently giving SSL errors [ssl_error_bad_mac_read] when talking to our LTM. The LTM is used as a reverse proxy for a website and does SSL bridging.
The error happens sporadically on some web pages but some other web pages are giving it pretty constantly.
The error happens with all tested flavors of SSL/TLS: SSLv3, TLS 1.0, TLS 1.2.
The error does not happen with IE, Chrome and previous versions of Firefox (before 36).
The error does not happen if we bypass LTM and connect directly to the website with any version of TLS.
Has anybody already seen this issue? What could be a problem?
Any help will be appreciated
UPDATE 1 If I disable in Firefox all ciphers except 3DES+SHA, everything works well.
UPDATE 2 I have three different VIPs on our LTM that use different SSL certificates. I tested all of them with Firefox. In all cases TLS 1.2 with the cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) was negotiated. In two cases the SSL connections fail with a "bad mac" error. In the third case, I have been unable to reproduce the issue.
UPDATE 3 According to Wireshark captures the SSL connection fails sometimes right after the handshake. But sometimes it fails later after have transferring some amount of HTTP data. Looks like a bug in crypto libraries.
UPDATE 4 Tested LTM with an OpenSSL client using TLS 1.2 and the AES128-SHA cipher. Got a similar behavior with an intermittent decryption error.
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
10 Replies
Hi Amr_Ali what type of policy is applied to the VS? If WAF policy, are you able to find in the devtools the ajax call and see if there is an WAF support id?
- Leslie_HubertusRet. Employee
JRahm may be able to help with a syntax question when he gets back from his PTO, if nobody else has answered first.
thanks, Leslie_Hubertus appreciate your reply
Recent Discussions
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com