Page 1 of 2

SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Posted: 2020/06/24 12:38:01
by rob65732
Hi,

I upgraded from 8.1 to 8.2 this morning, and since then I haven't been able to access the Amazon Web Services console through firefox, firefox quantum or chrome (so it doesn't seem to be a cache issue?). All other websites I've accessed seem absolutely fine (is it an OAuth issue?). My laptop which runs fedora can access them fine, so I'm confident it's not a network issue. I've tried disabling the firewall to check it is not a firewall configuration issue and that makes no difference.

The error occurs on trying to access the AWS console login page... here:

https://console.aws.amazon.com/console/home

The error is the same on chrome and firefox - it says:
Secure Connection Failed

An error occurred during a connection to console.aws.amazon.com. SSL peer reports incorrect Message Authentication Code.

Error code: SSL_ERROR_BAD_MAC_ALERT

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
I know this was all working before the update.

Any help or suggestions would be greatly appreciated.

Rob

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Posted: 2020/06/24 13:05:55
by TrevorH
Your link asks me to sign in. Does the problem manifest itself on the sign-in page or do I have to login before I can see it?

At a guess, I would suspect that 8.2 has deprecated yet another set of security protocols/ciphers and the AWS cert is attempting to use one of the hashes that have now been disabled. That's probably something you will need AWS to fix.

This page looks like it might be relevant: https://access.redhat.com/documentation ... y_security

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Posted: 2020/06/24 13:27:51
by rob65732
Thanks for the swift response.

The link doesn't open at all for me - it just gives the message above.

I'll do a bit more research into which protocols the browsers are trying to use, and which AWS is expecting.

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Posted: 2020/06/24 14:26:06
by rob65732
So the website supports the following:

[SERVER]$ nmap --script ssl-enum-ciphers -p 443 console.aws.amazon.com | grep -E "TLSv|SSLv"
| TLSv1.0:
| TLSv1.1:
| TLSv1.2:

The browser is using TLS v1.2, and when I compare the TLS packets (using wireshark) with the messages sent from my other machine, it's very similar
Centos 8.2 - not working
Centos 8.2 - not working
screenshot_centos8.2.png (82.84 KiB) Viewed 1187 times
Fedora 32 - working
Fedora 32 - working
screenshot.fedora32.working.png (72.44 KiB) Viewed 1187 times
The main difference being that these "Encrypted Alert"s happen after the Application data is sent.
The fact that both think they're using TLS 1.2, suggests that there shouldn't be a deprecation issue? It's TLS 1 and 1.1 that were deprecated in RHEL 8.

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Posted: 2020/06/24 15:12:00
by TrevorH
Try using the update-crypto-policies command to change the SSL options acceptable to CentOS 8. If you haven't changed them already then it's probably set to DEFAULT, if you did change it and you set it to FUTURE then a lot of stuff doesn't work with that. There's also LEGACY which is worth a pop too.

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Posted: 2020/06/24 18:04:56
by rob65732
Just tried that - no change, unfortunately.

Code: Select all

update-crypto-policies --set LEGACY
Booting back into CentOS 8.1 kernel it all works fine, so it's definitely a difference that resulted from the update.

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Posted: 2020/06/24 18:42:28
by TrevorH
You only changed the kernel and it worked?

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Posted: 2020/06/25 11:30:58
by rob65732
That's correct. I've gone through the steps again this morning with the same result.

4.18.0-193.6.3.el8_2.x86_64 does not work

4.18.0-147.8.1.el8_1.x86_64 does.

All I do is reboot the computer into that kernel and access the page when chrome loads.

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Posted: 2020/06/25 13:51:28
by TrevorH
Could you boot each kernel and take a copy of /proc/crypto to somewhere that will persist over a reboot and then diff -u them so we can see the difference in supported crypto algos?

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Posted: 2020/06/26 09:06:07
by rob65732
Done - the files (attached) are identical. (the -s flag on the diff command confirms it.)

Code: Select all

 diff -s /home/rob/crypto_8_1_working.txt /home/rob/crypto_8_2_notworking.txt 
Files /home/rob/crypto_8_1_working.txt and /home/rob/crypto_8_2_notworking.txt are identical
I've noticed this morning that other websites have a similar problem, but seem to recover... e.g. musicmagpie.co.uk - each time I load a page in Chrome, it errors, then recovers automatically (chrome seems to reload the page without asking to try and fix the issue) - Going back to try again it seems to load more quickly because I've already been there today, so the error is not visibly noticable. I'll try and reproduce the conditions.