'Python Cherrypy DECRYPTION_FAILED_OR_BAD_RECORD_MAC

Good day, I've an app that is uses Cherrypy to server a simple website. From time to time I get DECRYPTION_FAILED_OR_BAD_RECORD_MAC error. I've never seen an issue my self while testing, this only obvious in logs.

[26/Nov/2021:02:50:39] ENGINE Error in HTTPServer.serve
Traceback (most recent call last):
  File "/home/user/app/venv/lib/python3.8/site-packages/cheroot/server.py", line 1810, in serve
    self._connections.run(self.expiration_interval)
  File "/home/user/app/venv/lib/python3.8/site-packages/cheroot/connections.py", line 201, in run
    self._run(expiration_interval)
  File "/home/user/app/venv/lib/python3.8/site-packages/cheroot/connections.py", line 218, in _run
    new_conn = self._from_server_socket(self.server.socket)
  File "/home/user/app/venv/lib/python3.8/site-packages/cheroot/connections.py", line 272, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/user/app/venv/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 277, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac (_ssl.c:1131)

Is there a simple way for Cherrypy to log this as one line error in logs or is there a way to fix it?

pythonsslcherrypycheroot


Solution 1:[1]

I encountered the same (and also SSLV3_ALERT_BAD_CERTIFICATE). My setup: CherryPy 18.5.0; Python 3.7

I use Self-signed certificate (I think this is the key info for the issue)

Due to the not trusted certificate, browsers indicate that it is not a properly secured connection. Users need to click confirm that they still want to browse the pages. Access attempts from Edge or Chrome do not trigger this CherryPy error. Firefox seems to send something to the server even before it made sure that the request is to go ahead (i.e. even before confirm).

IMHO, CherryPy should handle the SSL errors (catch the exceptions) and let the users handle them.

Since I cannot control users' browser selection, nor can I catch the SSL exception, my "solution" was to get the users install the self-signed certificate. From that point on, they can browse the pages without warning and no such CherryPy error pops up in the logs anymore.

I know this is a pretty weak solution, but nobody answered, so I thought I'd share this, as it might help someone.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Netcreator

Related Questions

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

pip issue installing almost any library

pip issue installing almost any library

pip issue installing almost any library

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

A simple SMTP server (in Python)

How to specify which pytorch to import, if I have two different versions installed?

How to specify which pytorch to import, if I have two different versions installed?

A simple SMTP server (in Python)

Python: get all months in range?

Python: get all months in range?

Python: get all months in range?

How to specify which pytorch to import, if I have two different versions installed?