Error in LDAP OpenSSL client: -5875 SSL3 Alert Bad Record Mac

  • 3108486
  • 10-Jan-2007
  • 26-Apr-2012

Environment

Novell NetWare 6.5 Support Pack 1
Novell eDirectory 8.7.3 for NetWare 6.5
NTLS 1.80 - OpenSSL

Situation

Error in LDAP OpenSSL client: -5875 SSL3 Alert Bad Record Mac
NLDAP quits responding to LDAPS client requests. Have to unload and reload NLDAP to resolve.
Error in Dstrace screen with +ldap flag:

TLS accept failure 1 on connection 0x525b60e0, setting err = -5875. Error stack:
error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

Error from OpenSSL client:

ldap_bind: Can't contact LDAP server (-1)
additional info: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac


Resolution

Issue 1: This has been resolved in NTLS version 10810.05 which can be found in the field test file secupd6.tgz. This file is currently in beta as field test file ss1012.tgz.

Issue 2: This is addressed in secupd7.tgz and higher as well as in the new NTLS contained within eDir8736.exe.

Additional Information

This is actually two issues that will typically only be seen on MP enabled servers:

1. NTLS is unable to detect the nici error and re-create the context on the fly. This is due to the private key's context being destoyed by a NICI error. As a 5875 error is fairly generic: to determine if this is the issue:
a. Performa dstrace with the ldap flag turned on to ensure this error is being seen only on SSL connections.
b. While this is occurring make sure that all SSL LDAP connections are failing but cleartext connections succeed.
c. Verify that unloading and re-loading NLDAP resolves the situation.

2. NTLS is causing the NICI error: NTLS did not have the proper protection to prevent two threads from attempting to use the same context.

Formerly known as TID# 10093750
Formerly known as TID# NOVL97955

Feedback service temporarily unavailable. For content questions or problems, please contact Support.