TLS Client issue: Bad Record MAC\n decryption_failed

Our app (phoenix 1.5.14) sends the following response back to in our webhook controller:

TLS client: In state connection at tls_record_1_3.erl:337 generated CLIENT ALERT: Fatal - Bad Record MAC\n decryption_failed

Found the following related issue, but we’re already on OTP25 (elixir:1.14.2-alpine).

This started when crypto .hmac /3 which was removed in OTP 24, so we upgraded to OTP25:

Phoenix 1.5.14

compiled app is running erts-13.1.2

Any ideas? Thanks,

1 Like

Here’s a short update. No solution as of yet.

When using cURL the issue above does not appear.

curl -d "@data.json"  -H "Content-Type: application/json" -X POST

Our SSL cert looks to be fine and valid.
Could this be a firewall/network issue?

We have a similar issue.

After upgrading OS (openssl 1.1 to openssl 3), Erlang OTP 25.1.2 and Elixir 1.14.2 on our host. We eventually had to revert back to Erlang 24.3.4 and Elixir 1.13.4.
In our case this was the only option, as our nerves devices in the field could not connect.

Hopefully this can be solved via some kind of easy fix. But probably the encryption setup is just different in the new version and incompatible with older versions?
I’m also hoping someone can explain the error in more detail? What is causing it.

Our install is using OpenSSL 3.0.2.
When installing Erlang 24.3.4 with asdf it provided following info:

  • crypto : Using OpenSSL 3.0 is not yet recommended for production code.

Everything seems to be working for now.