SSL error (ssl_error_bad_mac_read) between LTM and Firefox

Question

We have noticed that recent versions of Firefox 36+ are frequently giving SSL errors [ssl_error_bad_mac_read] when talking to our LTM. The LTM is used as a reverse proxy for a website and does SSL bridging. &nbsp;
The error happens sporadically on some web pages but some other web pages are giving it pretty constantly.&nbsp;
The error happens with all tested flavors of SSL/TLS: SSLv3, TLS 1.0, TLS 1.2.&nbsp;
The error does not happen with IE, Chrome and previous versions of Firefox (before 36).&nbsp;
The error does not happen if we bypass LTM and connect directly to the website with any version of TLS.&nbsp;
Has anybody already seen this issue?
What could be a problem?&nbsp;
Any help will be appreciated&nbsp;
UPDATE 1 
If I disable in Firefox all ciphers except 3DES+SHA, everything works well.&nbsp;
UPDATE 2
I have three different VIPs on our LTM that use different SSL certificates. 
I tested all of them with Firefox.
In all cases TLS 1.2 with the cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) was negotiated.
In two cases the SSL connections fail with a "bad mac" error.
In the third case, I have been unable to reproduce the issue.&nbsp;
UPDATE 3
According to Wireshark captures the SSL connection fails sometimes right after the handshake. But sometimes it fails later after have transferring some amount of HTTP data.
Looks like a bug in crypto libraries.&nbsp;
UPDATE 4
Tested LTM with an OpenSSL client using TLS 1.2 and the AES128-SHA cipher.
Got a similar behavior with an intermittent decryption error.&nbsp;
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record&nbsp;

jonathan_mansfi · Answer

We were seeing similar behavior on one of our 11050's, though we are offloading SSL at the F5.  It was only affecting traffic coming from our private IP space which was going through a u-turn nat to reach publicly addressed services in our DMZ.  The interesting thing is that we were able to remediate the problem temporarily by changing the snat IP on our firewall which was being used by affected clients.  Ultimately the behavior returned after about three days using the new snat IP.  We also saw similar behavior from Chrome.  We failed traffic to another HA member, and the problems subsided.  After restarting the problematic member, we failed traffic back to it and it appears to be running clean.  We haven't determined the root cause yet.  I'm wondering if anyone else has run into this before.  (These boxes are currently running 11.5.1hf7)

danny_epperson_ · Answer

Hi EastCoast, what is the type of LTM (something like B2250 Viprion or Virtual Edition or 6900F) and TMOS version (please be on a recent hotfix)?

eastcoast_16835 · Answer

At the time it was 11.4.1 HF6 and I was told by support that the SSL engine in this version had a regression bug fixed in HF7+.

eastcoast_16835 · Answer

Update.
We upgraded the LTM version to 11.4.1 HF9 and still having the same issue.
There are sporadic  BAD MAC errors when using AES SSL ciphers.

Could it be a hardware problem?
This is a B2250 blade with a hardware SSL Accelerator.

ecesureshkumar · Answer

Disable and enable respective virtual servers/Pools to reset all the memory binding to the VS&nbsp;

Forum Discussion

SSL error (ssl_error_bad_mac_read) between LTM and Firefox

10 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

Weaponizing Firefox

Dev Central_search_plugin_for_ Firefox

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

F5 Access Policy Manager and Firefox Browser version 43 and 47+

will the Native Java work on Firefox?