SSL error (ssl_error_bad_mac_read) between LTM and Firefox
We have noticed that recent versions of Firefox 36+ are frequently giving SSL errors [ssl_error_bad_mac_read] when talking to our LTM. The LTM is used as a reverse proxy for a website and does SSL bridging.
The error happens sporadically on some web pages but some other web pages are giving it pretty constantly.
The error happens with all tested flavors of SSL/TLS: SSLv3, TLS 1.0, TLS 1.2.
The error does not happen with IE, Chrome and previous versions of Firefox (before 36).
The error does not happen if we bypass LTM and connect directly to the website with any version of TLS.
Has anybody already seen this issue? What could be a problem?
Any help will be appreciated
UPDATE 1 If I disable in Firefox all ciphers except 3DES+SHA, everything works well.
UPDATE 2 I have three different VIPs on our LTM that use different SSL certificates. I tested all of them with Firefox. In all cases TLS 1.2 with the cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) was negotiated. In two cases the SSL connections fail with a "bad mac" error. In the third case, I have been unable to reproduce the issue.
UPDATE 3 According to Wireshark captures the SSL connection fails sometimes right after the handshake. But sometimes it fails later after have transferring some amount of HTTP data. Looks like a bug in crypto libraries.
UPDATE 4 Tested LTM with an OpenSSL client using TLS 1.2 and the AES128-SHA cipher. Got a similar behavior with an intermittent decryption error.
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record