onetun: SSL_ERROR_BAD_MAC_READ When forwarding SSL port
I’m getting a strange problem when I attempt to connect to my forwarded GitLab instance using Firefox/Chromium: Some requests are failing with SSL_ERROR_BAD_MAC_READ. It also only seems to happen on background requests so I assume it only happens when many requests happen in parallel as the background resources are fetched in parallel.
Here’s a snapshot of the network log when I try to load GitLab:
Notice how the first request for the HTML file executes just fine. Once the browser parses the HTML file however, it fires off a bunch of requests in parallel to grab the script files and the images. A couple of these requests succeed however the rest fail with: SSL_ERROR_BAD_MAC_READ.
Also, here’s the onetun log (with --log trace) corresponding to the above requests: onetun.log.
The issue doesn’t happen when I connect directly to the GitLab instance over WireGuard.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 15 (9 by maintainers)
Commits related to this issue
- Ensure all bytes are written to TcpStream Fixes #22 — committed to aramperes/onetun by aramperes 2 years ago
Works beautifully now, thank you so much!
Thanks for the details. I was able to reproduce your examples with a second machine, so it’s not just your setup.
I was able to reproduce the issue with
curlon one of the files that fails, which will help with pinpointing the issue (browsers have a bunch of other stuff at play like http/2 and keepalive):It seems like some issue with pushing large files over HTTP. The SSL error is saying that the MAC (signature) is not valid since only part of the data was sent.
I’m still unclear as to why it works on
localhostbut not on a remote endpoint. My next step will be to try with the same file but without SSL and see if it’s a factor.