SSL3 alert read: fatal: bad record mac

Advertisement

astean
Guest

SSL3 alert read: fatal: bad record mac

Hello,

I'm using version 5.7.7 (Build 6257) of WINSCP to connect to an FTP site using FTPS protocol. It is running on the Windows 2008 SP2 OS.
I am using the script interface specifying the ftp site, certificate and also the -explicitssl setting.

I am getting this error below

> 2016-08-23 11:30:59.578 AUTH SSL
< 2016-08-23 11:30:59.582 234 Proceed with negotiation.
. 2016-08-23 11:30:59.838 SSL3 alert read: fatal: bad record mac
. 2016-08-23 11:30:59.838 TLS connect: failed in SSLv3 read finished A
. 2016-08-23 11:30:59.838 Can't establish TLS connection
. 2016-08-23 11:30:59.838 Disconnected from server
. 2016-08-23 11:30:59.838 Connection failed.

I've tried this exact script and WINSCP version on a server running Windows Server 2008R2 which works! I've also tried to download the latest version of WINSCP to see if that fixes it but I'm getting the same error message.

Please help as I'm stuck now.

Thanks

Adam

Reply with quote

Advertisement

astean
Guest

Re: SSL3 alert read: fatal: bad record mac

martin wrote:

Please post full session log files from both systems.

Use Debug 2 log level.

Hi Martin,

Thanks for replying back. Please see outputs below

Non working output

. 2016-08-31 10:22:55.515 --------------------------------------------------------------------------
. 2016-08-31 10:22:55.515 WinSCP Version 5.7.7 (Build 6257) (OS 6.0.6002 Service Pack 2 - Windows Server (R) 2008 Enterprise)
. 2016-08-31 10:22:55.516 Configuration: C:\Program Files (x86)\WinSCP577\WinSCP.ini
. 2016-08-31 10:22:55.517 Log level: Debug 2
. 2016-08-31 10:22:55.517 Local account:
. 2016-08-31 10:22:55.517 Working directory: C:\Program Files (x86)\WinSCP577
. 2016-08-31 10:22:55.517 Process ID: 2168
. 2016-08-31 10:22:55.517 Command-line: "C:\Program Files (x86)\WinSCP577\WinSCP.exe" /console=577 /consoleinstance=_37704_958 "/console" "/script=d:\jobs\ftp_commandsb.txt" "/log=d:\jobs\error_check_rel.txt" "/loglevel=2"
. 2016-08-31 10:22:55.517 Switch: /console=577
. 2016-08-31 10:22:55.517 Switch: /consoleinstance=_37704_958
. 2016-08-31 10:22:55.517 Switch: /console
. 2016-08-31 10:22:55.517 Switch: /script=d:\jobs\ftp_commandsb.txt
. 2016-08-31 10:22:55.517 Switch: /log=d:\jobs\error_check_rel.txt
. 2016-08-31 10:22:55.517 Switch: /loglevel=2
. 2016-08-31 10:22:55.517 Time zone: Current: GMT+1, Standard: GMT+0 (GMT Standard Time), DST: GMT+1 (GMT Daylight Time), DST Start: 3/27/2016, DST End: 10/30/2016
. 2016-08-31 10:22:55.517 Login time: Wednesday, August 31, 2016 10:22:55 AM
. 2016-08-31 10:22:55.517 --------------------------------------------------------------------------
. 2016-08-31 10:22:55.517 Script: Retrospectively logging previous script records:
> 2016-08-31 10:22:55.517 Script: option batch abort
> 2016-08-31 10:22:55.517 Script: Parameter: batch
> 2016-08-31 10:22:55.517 Script: Parameter: abort
< 2016-08-31 10:22:55.517 Script: batch abort
< 2016-08-31 10:22:55.517 Script: reconnecttime 120
> 2016-08-31 10:22:55.517 Script: option confirm off
> 2016-08-31 10:22:55.517 Script: Parameter: confirm
> 2016-08-31 10:22:55.517 Script: Parameter: off
< 2016-08-31 10:22:55.517 Script: confirm off
> 2016-08-31 10:22:55.517 Script: option echo on
> 2016-08-31 10:22:55.517 Script: Parameter: echo
> 2016-08-31 10:22:55.517 Script: Parameter: on
< 2016-08-31 10:22:55.517 Script: echo on
> 2016-08-31 10:22:55.517 Script: open ftps://*****:***@secureftp.uat.healthcode.co.uk -certificate="********" -explicitssl
> 2016-08-31 10:22:55.517 Script: Parameter: ftps://*****:***@secureftp.uat.healthcode.co.uk
> 2016-08-31 10:22:55.517 Script: Switch: -certificate=*********
> 2016-08-31 10:22:55.517 Script: Switch: -explicitssl
< 2016-08-31 10:22:55.517 Script: ftps://******:***@secureftp.uat.healthcode.co.uk -certificate="***********" -explicitssl
. 2016-08-31 10:22:55.518 --------------------------------------------------------------------------
. 2016-08-31 10:22:55.518 Session name: *****@secureftp.uat.healthcode.co.uk (Ad-Hoc site)
. 2016-08-31 10:22:55.518 Host name: secureftp.uat.healthcode.co.uk (Port: 21)
. 2016-08-31 10:22:55.518 User name: ********(Password: Yes, Key file: No)
. 2016-08-31 10:22:55.518 Transfer Protocol: FTP
. 2016-08-31 10:22:55.518 Ping type: C, Ping interval: 30 sec; Timeout: 15 sec
. 2016-08-31 10:22:55.518 Disable Nagle: No
. 2016-08-31 10:22:55.518 Proxy: none
. 2016-08-31 10:22:55.518 Send buffer: 262144
. 2016-08-31 10:22:55.518 UTF: 2
. 2016-08-31 10:22:55.518 FTP: FTPS: Explicit SSL; Passive: Yes [Force IP: A]; MLSD: A [List all: A]
. 2016-08-31 10:22:55.518 Session reuse: Yes
. 2016-08-31 10:22:55.518 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2016-08-31 10:22:55.518 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2016-08-31 10:22:55.518 Cache directory changes: Yes, Permanent: Yes
. 2016-08-31 10:22:55.518 Timezone offset: 0h 0m
. 2016-08-31 10:22:55.518 --------------------------------------------------------------------------
. 2016-08-31 10:22:55.521 Connecting to secureftp.uat.healthcode.co.uk ...
. 2016-08-31 10:22:55.535 TLS layer changed state from unconnected to connecting
. 2016-08-31 10:22:55.540 TLS layer changed state from connecting to connected
. 2016-08-31 10:22:55.540 Connected with secureftp.uat.healthcode.co.uk, negotiating TLS connection...
< 2016-08-31 10:22:55.546 220 Welcome to The Healthcode UAT FTPS service
> 2016-08-31 10:22:55.546 AUTH SSL
< 2016-08-31 10:22:55.549 234 Proceed with negotiation.
. 2016-08-31 10:22:55.743 TLS connect: SSLv3 read server hello A
. 2016-08-31 10:22:55.743 TLS connect: SSLv3 read server certificate A
. 2016-08-31 10:22:55.743 TLS connect: SSLv3 read server certificate request A
. 2016-08-31 10:22:55.743 TLS connect: SSLv3 read server done A
. 2016-08-31 10:22:55.743 TLS connect: SSLv3 write client certificate A
. 2016-08-31 10:22:55.743 TLS connect: SSLv3 write client key exchange A
. 2016-08-31 10:22:55.743 TLS connect: SSLv3 write change cipher spec A
. 2016-08-31 10:22:55.743 TLS connect: SSLv3 write finished A
. 2016-08-31 10:22:55.743 TLS connect: SSLv3 flush data
. 2016-08-31 10:22:55.750 SSL3 alert read: fatal: bad record mac
. 2016-08-31 10:22:55.750 TLS connect: failed in SSLv3 read finished A
. 2016-08-31 10:22:55.750 Can't establish TLS connection
. 2016-08-31 10:22:55.750 Disconnected from server
. 2016-08-31 10:22:55.750 Connection failed.
. 2016-08-31 10:22:55.750 Got reply 1004 to the command 1


Working output

. 2016-08-31 10:28:49.304 --------------------------------------------------------------------------
. 2016-08-31 10:28:49.304 WinSCP Version 5.1.8 (Build 3799) (OS 6.1.7601 Service Pack 1 - Windows Server 2008 R2 Standard)
. 2016-08-31 10:28:49.304 Configuration: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\
. 2016-08-31 10:28:49.304 Local account:
. 2016-08-31 10:28:49.304 Working directory: C:\Program Files (x86)\WinSCP
. 2016-08-31 10:28:49.304 Process ID: 1564
. 2016-08-31 10:28:49.304 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe" /console=518 /consoleinstance=_552_76 "/console" "/script=d:\jobs\ftp_commandsb.txt" "/log=d:\jobs\error_check_rel.txt" "/loglevel=2"
. 2016-08-31 10:28:49.304 Time zone: Current: GMT+1, Standard: GMT+0, DST: GMT+1, DST Start: 27/03/2016, DST End: 30/10/2016
. 2016-08-31 10:28:49.304 Login time: 31 August 2016 10:28:49
. 2016-08-31 10:28:49.304 --------------------------------------------------------------------------
. 2016-08-31 10:28:49.304 Session name: *****@secureftp.uat.healthcode.co.uk (Ad-Hoc session)
. 2016-08-31 10:28:49.304 Host name: secureftp.uat.healthcode.co.uk (Port: 21)
. 2016-08-31 10:28:49.304 User name: *****(Password: Yes, Key file: No)
. 2016-08-31 10:28:49.304 Tunnel: No
. 2016-08-31 10:28:49.304 Transfer Protocol: FTP
. 2016-08-31 10:28:49.304 Ping type: C, Ping interval: 30 sec; Timeout: 15 sec
. 2016-08-31 10:28:49.304 Proxy: none
. 2016-08-31 10:28:49.304 Send buffer: 262144
. 2016-08-31 10:28:49.304 FTP: FTPS: Explicit SSL; Passive: Yes [Force IP: A]; List all: A
. 2016-08-31 10:28:49.304 Session reuse: Yes
. 2016-08-31 10:28:49.304 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2016-08-31 10:28:49.304 Cache directory changes: Yes, Permanent: Yes
. 2016-08-31 10:28:49.304 DST mode: 1; Timezone offset: 0h 0m
. 2016-08-31 10:28:49.304 --------------------------------------------------------------------------
. 2016-08-31 10:28:49.304 Connecting to secureftp.uat.healthcode.co.uk ...
. 2016-08-31 10:28:49.320 Connected with secureftp.uat.healthcode.co.uk, negotiating SSL connection...
< 2016-08-31 10:28:49.335 220 Welcome to The Healthcode UAT FTPS service
> 2016-08-31 10:28:49.335 AUTH SSL
< 2016-08-31 10:28:49.351 234 Proceed with negotiation.
. 2016-08-31 10:28:49.476 Asking user:
. 2016-08-31 10:28:49.476 The server's certificate is not known. You have no guarantee that the server is the computer you think it is. Server's certificate details follow:
. 2016-08-31 10:28:49.476
. 2016-08-31 10:28:49.476 Issuer:
. 2016-08-31 10:28:49.476 - Organization: Healthcode Ltd, IT Ops, secureftp.uat.healthcode.co.uk, administrator@healthcode.co.uk
. 2016-08-31 10:28:49.476 - Location: GB, Surrey, Staines-upon-Thames
. 2016-08-31 10:28:49.476
. 2016-08-31 10:28:49.476 Subject:
. 2016-08-31 10:28:49.476 - Organization: Healthcode Ltd, IT Ops, secureftp.uat.healthcode.co.uk, administrator@healthcode.co.uk
. 2016-08-31 10:28:49.476 - Location: GB, Surrey, Staines-upon-Thames
. 2016-08-31 10:28:49.476
. 2016-08-31 10:28:49.476 Valid: 10/11/2015 14:32:52 - 09/11/2016 14:32:52
. 2016-08-31 10:28:49.476
. 2016-08-31 10:28:49.476 Fingerprint (SHA1): *************************************
. 2016-08-31 10:28:49.476
. 2016-08-31 10:28:49.476 Summary: Self signed certificate. The error occured at a depth of 1 in the certificate chain.
. 2016-08-31 10:28:49.476
. 2016-08-31 10:28:49.476 If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.
. 2016-08-31 10:28:49.476
. 2016-08-31 10:28:49.476 Continue connecting and store the certificate? ()
. 2016-08-31 10:28:49.476 Peer certificate rejected
. 2016-08-31 10:28:49.476 Disconnected from server
. 2016-08-31 10:28:49.476 Connection failed.

Reply with quote

martin
Site Admin
martin avatar

Re: SSL3 alert read: fatal: bad record mac

You are using WinSCP 5.1.8 on the other machine. Maybe the server uses some deprecated cipher or version of SSL, no longer allowed in the latest version of WinSCP.

Can you try using 5.7.7 on the other machine?

Reply with quote

astean
Guest

Re: SSL3 alert read: fatal: bad record mac

martin wrote:

You are using WinSCP 5.1.8 on the other machine. Maybe the server uses some deprecated cipher or version of SSL, no longer allowed in the latest version of WinSCP.

Can you try using 5.7.7 on the other machine?

Hi Martin,

I have installed version 5.7.7 on the other machine and it still connects fine. I'm wondering what could be stopping it on the non working server. I'm also positive it's not firewall related.

Thanks
Adam

. 2016-09-01 17:41:32.115 --------------------------------------------------------------------------
. 2016-09-01 17:41:32.115 WinSCP Version 5.7.7 (Build 6257) (OS 6.1.7601 Service Pack 1 - Windows Server 2008 R2 Standard)
. 2016-09-01 17:41:32.115 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\
. 2016-09-01 17:41:32.115 Log level: Debug 2
. 2016-09-01 17:41:32.115 Local account:
. 2016-09-01 17:41:32.115 Working directory: C:\Program Files (x86)\WinSCP
. 2016-09-01 17:41:32.115 Process ID: 4712
. 2016-09-01 17:41:32.115 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe" /console=577 /consoleinstance=_4540_386 "/console" "/script=d:\jobs\ftp_commandsb.txt" "/log=d:\jobs\error_check_rel.txt" "/loglevel=2"
. 2016-09-01 17:41:32.115 Switch: /console=577
. 2016-09-01 17:41:32.115 Switch: /consoleinstance=_4540_386
. 2016-09-01 17:41:32.115 Switch: /console
. 2016-09-01 17:41:32.115 Switch: /script=d:\jobs\ftp_commandsb.txt
. 2016-09-01 17:41:32.115 Switch: /log=d:\jobs\error_check_rel.txt
. 2016-09-01 17:41:32.115 Switch: /loglevel=2
. 2016-09-01 17:41:32.115 Time zone: Current: GMT+1, Standard: GMT+0 (GMT Standard Time), DST: GMT+1 (GMT Daylight Time), DST Start: 27/03/2016, DST End: 30/10/2016
. 2016-09-01 17:41:32.115 Login time: 01 September 2016 17:41:32
. 2016-09-01 17:41:32.115 --------------------------------------------------------------------------
. 2016-09-01 17:41:32.115 Script: Retrospectively logging previous script records:
> 2016-09-01 17:41:32.115 Script: option batch abort
> 2016-09-01 17:41:32.115 Script: Parameter: batch
> 2016-09-01 17:41:32.115 Script: Parameter: abort
< 2016-09-01 17:41:32.115 Script: batch abort
< 2016-09-01 17:41:32.115 Script: reconnecttime 120
> 2016-09-01 17:41:32.115 Script: option confirm off
> 2016-09-01 17:41:32.115 Script: Parameter: confirm
> 2016-09-01 17:41:32.115 Script: Parameter: off
< 2016-09-01 17:41:32.115 Script: confirm off
> 2016-09-01 17:41:32.115 Script: option echo on
> 2016-09-01 17:41:32.115 Script: Parameter: echo
> 2016-09-01 17:41:32.115 Script: Parameter: on
< 2016-09-01 17:41:32.115 Script: echo on
> 2016-09-01 17:41:32.115 Script: open ftps://***:***@secureftp.uat.healthcode.co.uk -certificate="" -explicitssl
> 2016-09-01 17:41:32.115 Script: Parameter: ftps://****:***@secureftp.uat.healthcode.co.uk
> 2016-09-01 17:41:32.115 Script: Switch: -certificate=****
> 2016-09-01 17:41:32.115 Script: Switch: -explicitssl
< 2016-09-01 17:41:32.115 Script: ftps://***:***@secureftp.uat.healthcode.co.uk -certificate="66:07:73:57:f8:db:16:8a:ad:c5:d5:a1:75:76:d5:9d:52:c0:be:22" -explicitssl
. 2016-09-01 17:41:32.115 --------------------------------------------------------------------------
. 2016-09-01 17:41:32.115 Session name: ***@secureftp.uat.healthcode.co.uk (Ad-Hoc site)
. 2016-09-01 17:41:32.115 Host name: secureftp.uat.healthcode.co.uk (Port: 21)
. 2016-09-01 17:41:32.115 User name: BMI_B9dUb9uf (Password: Yes, Key file: No)
. 2016-09-01 17:41:32.115 Transfer Protocol: FTP
. 2016-09-01 17:41:32.115 Ping type: C, Ping interval: 30 sec; Timeout: 15 sec
. 2016-09-01 17:41:32.115 Disable Nagle: No
. 2016-09-01 17:41:32.115 Proxy: none
. 2016-09-01 17:41:32.115 Send buffer: 262144
. 2016-09-01 17:41:32.115 UTF: 2
. 2016-09-01 17:41:32.115 FTP: FTPS: Explicit SSL; Passive: Yes [Force IP: A]; MLSD: A [List all: A]
. 2016-09-01 17:41:32.115 Session reuse: Yes
. 2016-09-01 17:41:32.115 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2016-09-01 17:41:32.115 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2016-09-01 17:41:32.115 Cache directory changes: Yes, Permanent: Yes
. 2016-09-01 17:41:32.115 Timezone offset: 0h 0m
. 2016-09-01 17:41:32.115 --------------------------------------------------------------------------
. 2016-09-01 17:41:32.115 Connecting to secureftp.uat.healthcode.co.uk ...
. 2016-09-01 17:41:32.146 TLS layer changed state from unconnected to connecting
. 2016-09-01 17:41:32.146 TLS layer changed state from connecting to connected
. 2016-09-01 17:41:32.146 Connected with secureftp.uat.healthcode.co.uk, negotiating TLS connection...
< 2016-09-01 17:41:32.162 220 Welcome to The Healthcode UAT FTPS service
> 2016-09-01 17:41:32.162 AUTH SSL
< 2016-09-01 17:41:32.380 234 Proceed with negotiation.
. 2016-09-01 17:41:32.505 TLS connect: SSLv3 read server hello A
. 2016-09-01 17:41:32.505 TLS connect: SSLv3 read server certificate A
. 2016-09-01 17:41:32.505 TLS connect: SSLv3 read server certificate request A
. 2016-09-01 17:41:32.505 TLS connect: SSLv3 read server done A
. 2016-09-01 17:41:32.505 TLS connect: SSLv3 write client certificate A
. 2016-09-01 17:41:32.505 TLS connect: SSLv3 write client key exchange A
. 2016-09-01 17:41:32.505 TLS connect: SSLv3 write change cipher spec A
. 2016-09-01 17:41:32.505 TLS connect: SSLv3 write finished A
. 2016-09-01 17:41:32.505 TLS connect: SSLv3 flush data
. 2016-09-01 17:41:32.521 TLS connect: SSLv3 read server session ticket A
. 2016-09-01 17:41:32.521 TLS connect: SSLv3 read finished A
. 2016-09-01 17:41:32.521 Verifying certificate for "Healthcode Ltd" with fingerprint *****and 18 failures
. 2016-09-01 17:41:32.536 Certificate common name "secureftp.uat.healthcode.co.uk" matches hostname
. 2016-09-01 17:41:32.536 Asking user:
. 2016-09-01 17:41:32.552 **The server's certificate is not known. You have no guarantee that the server is the computer you think it is.**
. 2016-09-01 17:41:32.552
. 2016-09-01 17:41:32.552 Server's certificate details follow:
. 2016-09-01 17:41:32.552
. 2016-09-01 17:41:32.552 Issuer:
. 2016-09-01 17:41:32.552 - Organization: Healthcode Ltd, IT Ops, secureftp.uat.healthcode.co.uk, administrator@healthcode.co.uk
. 2016-09-01 17:41:32.552 - Location: GB, Surrey, Staines-upon-Thames
. 2016-09-01 17:41:32.552
. 2016-09-01 17:41:32.552 Subject:
. 2016-09-01 17:41:32.552 - Organization: Healthcode Ltd, IT Ops, secureftp.uat.healthcode.co.uk, administrator@healthcode.co.uk
. 2016-09-01 17:41:32.552 - Location: GB, Surrey, Staines-upon-Thames
. 2016-09-01 17:41:32.552
. 2016-09-01 17:41:32.552 Valid: 10/11/2015 14:32:52 - 09/11/2016 14:32:52
. 2016-09-01 17:41:32.552
. 2016-09-01 17:41:32.552 Fingerprint (SHA-1): *****. 2016-09-01 17:41:32.552
. 2016-09-01 17:41:32.552 Summary: Self signed certificate. The error occurred at a depth of 1 in the certificate chain.
. 2016-09-01 17:41:32.552
. 2016-09-01 17:41:32.552 If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.
. 2016-09-01 17:41:32.552
. 2016-09-01 17:41:32.552 Continue connecting and store the certificate? ()
. 2016-09-01 17:41:32.552 Peer certificate rejected
. 2016-09-01 17:41:32.552 TLS layer changed state from connected to closed
. 2016-09-01 17:41:32.552 Disconnected from server
. 2016-09-01 17:41:32.552 Connection failed.
. 2016-09-01 17:41:32.552 Got reply 1804 to the command 1

Reply with quote

Advertisement

martin
Site Admin
martin avatar

Re: SSL3 alert read: fatal: bad record mac

Thanks for the log. Can you connect with any other FTPS client from the problematic machine? Like using FileZilla.

Reply with quote

astean
Guest

Re: SSL3 alert read: fatal: bad record mac

martin wrote:

Thanks for the log. Can you connect with any other FTPS client from the problematic machine? Like using FileZilla.

Not sure, I'll give it a try today and let you know.

Thanks

Reply with quote

astean
Guest

Re: SSL3 alert read: fatal: bad record mac

astean wrote:

martin wrote:

Thanks for the log. Can you connect with any other FTPS client from the problematic machine? Like using FileZilla.

Not sure, I'll give it a try today and let you know.

Thanks
Hi Martin,

I've tried to connect using FileZilla on both servers and neither will connect this time. I get this error

Response: 234 Proceed with negotiation.
Status: Initializing TLS...
Error: GnuTLS error -12: A TLS fatal alert has been received.
Error: Could not connect to server

I think this is to do with incorrect Ciphers when I do an Internet search. Not sure if this is a similar issue with WinSCP?

Thanks

Reply with quote

Advertisement

astean
Guest

Re: SSL3 alert read: fatal: bad record mac

martin wrote:

Yes, it looks like the same problem.

Yes. Any other ideas/suggestions? It's also not working on a new Server 2012R2 OS either.

Thanks for your help so far. At the moment I'm not sure what to try next.

Adam

Reply with quote

Advertisement

You can post new topics in this forum