Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: "bad record MAC" error on TLS Handshake - Go1.2 bug, regression from Go1.1 #7085

gopherbot opened this issue Jan 9, 2014 · 6 comments


Copy link


I'm getting a "bad record MAC" error on TLS Handshake on a connection to
certain sites.  This used to be fine in Go1.1, but Go1.2 introduced this error.

What steps will reproduce the problem?
If possible, include a link to a program on
1. Copy/Paste this go program locally: (playground
doesn't have necessary libs)
2.  Compile using Go1.2
3.  Run, you will get the "bad record Mac" error.
4.  Compile same program using Go1.1
5. Run, you will see "Success!" printed out.

What is the expected output?

What do you see instead?
"local error: bad record MAC"

Which compiler are you using (5g, 6g, 8g, gccgo)?
go build

Which operating system are you using?
Tested on Darwin and Linux.

Which version are you using?  (run 'go version')

Please provide any additional information below.
The example linked is using "" as the
example site that exploits this issue.  I'd like to note that browsing to the site on
Google Chrome shows that the certificate is valid and verified.
Copy link

Comment 1 by

Update, tried these steps with the latest Go code compiled off of +8a7395c26adc and the
issue still persists.

Copy link

Comment 2 by

Through process of elimination, I've found that the issue was introduced from this

Copy link

bradfitz commented Jan 9, 2014

Comment 3:

Owner changed to @agl.

Status changed to Accepted.

Copy link

Comment 4 by

This is a blocking issue for us, and if possible, we would really appreciate a patch
that we could apply to our local go1.2 version that would fix the issue.  
I know that releasing something like Go1.2.1 is out of the question and this fix will
most likely go into 1.3, but we'd really appreciate something that we could apply
immediately if possible.

Copy link

agl commented Jan 10, 2014

Comment 5:

It's a server bug. Specifically it's matching the version number in the RSA PMS with its
version, not the client's version. OpenSSL and NSS also fail to connect.
It's easy to work around however: you can set MaxVersion in tls.Config to
tls.VersionTLS10. If you have any contacts with the server operators however you should
really encourage them to update:

Status changed to WorkingAsIntended.

Copy link

Comment 6 by

I see, thanks for the help Adam.  That workaround is actually quite useful.  We'll see
what are options are from there.
Thanks again.

@golang golang locked and limited conversation to collaborators Jun 25, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet

No branches or pull requests

3 participants