# Apache + OpenSSL Trouble



## Monoecus (Apr 12, 2010)

Since updating to OpenSSL 1.0.0, my Apache22 server does not work properly anymore and Firefox returns the following error message:


```
An error occurred during a connection to [url]www.xxx.xxx[/url].

SSL received a record with an incorrect Message Authentication Code.

(Error code: ssl_error_bad_mac_read)
```

I have rebuild the certificate and also tested it with www/hiawatha were it works correctly. There are no error log messages in the Apache logs neither in /var/log/messages.

Does anybody have a clue on what's going on?


----------



## anomie (Apr 12, 2010)

I'm presuming that this is the security/openssl port, rather than the base system openssl? 

If so, would rebuilding Apache22 / mod_ssl with different make (make.conf(5)) settings - i.e. using the base system openssl - be acceptable?

---

If you really need to troubleshoot this, it does not make sense that Apache is not logging the problem. Make sure you've set at least *LogLevel info* and that you're looking at the right error log. (It may be a in a different virtualhost than you are expecting, or it may be that SSL connections have their own virtualhost container.)


----------



## Monoecus (Apr 12, 2010)

Yes you are right. It is an issue with security/openssl. Actually, I can confirm that the trouble lies in the configuration of www/apache22. After removing


```
SSLCipherSuite RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
```

from the config file, everything worked fine again. Hence, there must be one of those ciphers which is incompatible with the new OpenSSL.

Anyway, thank you very much for your comments.


----------



## DutchDaemon (Apr 12, 2010)

The default is


```
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
```

and it works fine with openssl-1.0.0.


----------

