OpenSSL error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt #12924

Closed
nunoperalta opened this Issue Jan 25, 2017 · 9 comments

Projects

None yet

5 participants

@nunoperalta

Steps to reproduce

  1. Install 4.6.6
  2. Open login page
  3. See error: "OpenSSL error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt"

Expected behaviour

No error should occur in the login page.

Actual behaviour

I see error below the login box: "OpenSSL error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt"

Server configuration

Operating system: CentOS

Web server: Apache

Database: MariaDB

PHP version: 7.1.1 or 7.0.15 or 5.6.30

phpMyAdmin version: 4.6.6

Client configuration

Browser: Chrome

Operating system: Windows 10

@nijel
Member
nijel commented Jan 25, 2017 edited

Does the error disappear on next login? It can be caused by wrongly encrypted cookies from previous version (there was bug in the cookie encryption code in prior releases leading to this).

PS: We were silently ignoring such errors in previous version, now they are displayed to allow diagnose problems.

@nijel nijel added the question label Jan 25, 2017
@nijel
Member
nijel commented Jan 25, 2017

Hmm, but the error message should probably tell when did this happen.

@ibennetch Maybe we should document this as known issue as this will happen to users using openssl direcly (not via phpseclib) on upgrade.

phpmyadmin_-_2017-01-25_09 50 32

@nijel nijel added a commit that referenced this issue Jan 25, 2017
@nijel nijel Improve error message for cookie encryption
- make it localized
- correctly report that it's about cookies

Issue #12924

Signed-off-by: Michal Čihař <michal@cihar.com>
31084a0
@slokhorst
Contributor

Same message here after upgrading from 4.6.5.2. Disappeared after logging in and out.

@cslevi81
cslevi81 commented Jan 27, 2017 edited

Similar error message:
phpmyadmin_2017-01-27_14 59 26
I could login, use the PhpMyAdmin, but the error message occurs on login page (when I access the page via simple HTTP - not HTTPS - too).

Server configuration

Operating System: Debian 7.11
Web server: Apache 2.2.22
Database: MySQL 5.5.54
PHP: 5.6.30 (dotdeb)
PHP extension used: mysqli, curl, mbstring
PhpMyAdmin version: 4.6.6
OpenSSL version: 1.0.1t

Client configuration

Browser: Firefox 50.1.0
OS: xUbuntu 12.04.5

@ibennetch
Contributor

@nijel can we catch this error message and deal with it internally rather than making the user log out and back in again? If needed, we can show a message to the user after this that their cookies were reset or some such.

@nijel
Member
nijel commented Jan 30, 2017

Well there is no way to distinguish between corrupt cookies and cookies encrypted with wrong parameters used in previous versions, so we either show the error in all cases or never. On the other side nobody ever complained about missing such error message, so removing it's display might be reasonable...

@nijel nijel self-assigned this Feb 2, 2017
@nijel nijel added bug and removed question labels Feb 2, 2017
@nijel nijel added this to the 4.7.1 milestone Feb 2, 2017
@nijel nijel added a commit that closed this issue Feb 2, 2017
@nijel nijel Do not show errors from OpenSSL cookie encryption/decryption
This can happen from corrupted cookies, by invalid encryption parameters
used in older phpMyAdmin versions or by wrong openSSL configuration.

In neither case the error is useful to user, but we need to clear the
error buffer as otherwise the errors would pop up later, for example
during MySQL SSL setup.

Fixes #12924

Signed-off-by: Michal Čihař <michal@cihar.com>
5022ff9
@nijel nijel closed this in 5022ff9 Feb 2, 2017
@nijel nijel modified the milestone: 4.7.0, 4.7.1 Feb 2, 2017
@nijel
Member
nijel commented Feb 2, 2017

In the end I've decide to remove this error reporting. It is probably not useful to user in neither case, so let's just discard the errors so that they do not pop up later. The discarding is now in place for phpseclib as well.

@ibennetch
Contributor

So there's nothing to add documentation about, then?

@nijel
Member
nijel commented Feb 4, 2017

No, I think it's better to not show this to user at all as he usually has no chance to fix the error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment