Re: ssl_error_rx_malformed_finished

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

On Mon, Dec 08, 2014 at 06:43:45PM +0000, Michael van Elst wrote:
> bouyer%antioche.eu.org@localhost (Manuel Bouyer) writes:
> 
> >On Mon, Dec 08, 2014 at 02:03:36PM +0000, Michael van Elst wrote:
> >> bouyer%antioche.eu.org@localhost (Manuel Bouyer) writes:
> >> 
> >> >Hello,
> >> >I recently re-enabled TLSv1 on my web servers (because of the newer
> >> >firefox which blocks SSL protocols by default now), and on
> >> >*some* web servers, I occasionally get from firefox:
> >> >n error occurred during a connection to www.xxx.yy.
> >> >SSL received a malformed Finished handshake message.
> >> >(Error code: ssl_error_rx_malformed_finished)
> >> 
> >> Try to change the Firefox config option security.tls.version.max
> >> from 3 (==TLS1.3) to 2 (==TLS1.2).
> 
> >I'd like have it work without changing the client's config.
> >It looks like a bug on the server side. What I don't understand is
> >why it works with some servers and not others.
> 
> Well, this is supposed to work around the bug, and I don't think
> it is clear that this is a server bug. Other clients at least
> do not complain, so if a server has an error in its protocol
> implementation, it is possible to gracefully handle (or just
> ignore) it.

Yes, it is. There are patches around to retry the connection in such case.
But still, it's just a workaround. And still, some of my web servers
have the problem and some don't.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--