SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Issues related to applications and software problems and general support
rob65732
Posts: 7
Joined: 2020/06/24 12:25:43

SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Post by rob65732 » 2020/06/24 12:38:01

Hi,

I upgraded from 8.1 to 8.2 this morning, and since then I haven't been able to access the Amazon Web Services console through firefox, firefox quantum or chrome (so it doesn't seem to be a cache issue?). All other websites I've accessed seem absolutely fine (is it an OAuth issue?). My laptop which runs fedora can access them fine, so I'm confident it's not a network issue. I've tried disabling the firewall to check it is not a firewall configuration issue and that makes no difference.

The error occurs on trying to access the AWS console login page... here:

https://console.aws.amazon.com/console/home

The error is the same on chrome and firefox - it says:
Secure Connection Failed

An error occurred during a connection to console.aws.amazon.com. SSL peer reports incorrect Message Authentication Code.

Error code: SSL_ERROR_BAD_MAC_ALERT

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
I know this was all working before the update.

Any help or suggestions would be greatly appreciated.

Rob

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Post by TrevorH » 2020/06/24 13:05:55

Your link asks me to sign in. Does the problem manifest itself on the sign-in page or do I have to login before I can see it?

At a guess, I would suspect that 8.2 has deprecated yet another set of security protocols/ciphers and the AWS cert is attempting to use one of the hashes that have now been disabled. That's probably something you will need AWS to fix.

This page looks like it might be relevant: https://access.redhat.com/documentation ... y_security
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

rob65732
Posts: 7
Joined: 2020/06/24 12:25:43

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Post by rob65732 » 2020/06/24 13:27:51

Thanks for the swift response.

The link doesn't open at all for me - it just gives the message above.

I'll do a bit more research into which protocols the browsers are trying to use, and which AWS is expecting.

rob65732
Posts: 7
Joined: 2020/06/24 12:25:43

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Post by rob65732 » 2020/06/24 14:26:06

So the website supports the following:

[SERVER]$ nmap --script ssl-enum-ciphers -p 443 console.aws.amazon.com | grep -E "TLSv|SSLv"
| TLSv1.0:
| TLSv1.1:
| TLSv1.2:

The browser is using TLS v1.2, and when I compare the TLS packets (using wireshark) with the messages sent from my other machine, it's very similar
Centos 8.2 - not working
Centos 8.2 - not working
screenshot_centos8.2.png (82.84 KiB) Viewed 1185 times
Fedora 32 - working
Fedora 32 - working
screenshot.fedora32.working.png (72.44 KiB) Viewed 1185 times
The main difference being that these "Encrypted Alert"s happen after the Application data is sent.
The fact that both think they're using TLS 1.2, suggests that there shouldn't be a deprecation issue? It's TLS 1 and 1.1 that were deprecated in RHEL 8.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Post by TrevorH » 2020/06/24 15:12:00

Try using the update-crypto-policies command to change the SSL options acceptable to CentOS 8. If you haven't changed them already then it's probably set to DEFAULT, if you did change it and you set it to FUTURE then a lot of stuff doesn't work with that. There's also LEGACY which is worth a pop too.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

rob65732
Posts: 7
Joined: 2020/06/24 12:25:43

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Post by rob65732 » 2020/06/24 18:04:56

Just tried that - no change, unfortunately.

Code: Select all

update-crypto-policies --set LEGACY
Booting back into CentOS 8.1 kernel it all works fine, so it's definitely a difference that resulted from the update.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Post by TrevorH » 2020/06/24 18:42:28

You only changed the kernel and it worked?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

rob65732
Posts: 7
Joined: 2020/06/24 12:25:43

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Post by rob65732 » 2020/06/25 11:30:58

That's correct. I've gone through the steps again this morning with the same result.

4.18.0-193.6.3.el8_2.x86_64 does not work

4.18.0-147.8.1.el8_1.x86_64 does.

All I do is reboot the computer into that kernel and access the page when chrome loads.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Post by TrevorH » 2020/06/25 13:51:28

Could you boot each kernel and take a copy of /proc/crypto to somewhere that will persist over a reboot and then diff -u them so we can see the difference in supported crypto algos?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

rob65732
Posts: 7
Joined: 2020/06/24 12:25:43

Re: SSL_ERROR_BAD_MAC_ALERT message accessing AWS console since 8.2 (2004) upgrade

Post by rob65732 » 2020/06/26 09:06:07

Done - the files (attached) are identical. (the -s flag on the diff command confirms it.)

Code: Select all

 diff -s /home/rob/crypto_8_1_working.txt /home/rob/crypto_8_2_notworking.txt 
Files /home/rob/crypto_8_1_working.txt and /home/rob/crypto_8_2_notworking.txt are identical
I've noticed this morning that other websites have a similar problem, but seem to recover... e.g. musicmagpie.co.uk - each time I load a page in Chrome, it errors, then recovers automatically (chrome seems to reload the page without asking to try and fix the issue) - Going back to try again it seems to load more quickly because I've already been there today, so the error is not visibly noticable. I'll try and reproduce the conditions.

Post Reply