Bad Decompression Errors in OpenSSL 0.9.8a

Recently, we rolled out a Shibboleth Single Sign On
service to protect one of our services. However, we started recieving
intermittant login failures, both on our automated monitoring and from
customers. Curiously these failures tended to happen mostly in the
evening, which isn’t a peak time for us. Debugging showed that the
authentication worked, but the authorisaton was failing. Shibboleth
works as an apache module and daemom that protects a service, which
communicates with a webservice that does the authenication processing.
The log files were showing an occasional SSL error in this communcation

INFO shibtarget.SessionCache [43005] sessionGet: trying to get new attributes
      for session (ID=_d0cd2f93840bb92050b28fa73d19ce4f)
INFO SAML.SAMLSOAPHTTPBinding [43005] sessionGet: sending SOAP message to
ERROR SAML.SAMLSOAPHTTPBinding [43005] sessionGet: failed while contacting
      SAML responder: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad
ERROR shibtarget.SessionCache [43005] sessionGet: caught SAML exception
      during SAML attribute query: SOAPHTTPBindingProvider::send() failed
      while contacting SAML responder: error:1408F06B:SSL
      routines:SSL3_GET_RECORD:bad decompression
ERROR shibtarget.SessionCache [43005] sessionGet: no response obtained

We didn’t manage to find any suitable solutions on the internet, so
we pulled out the trusty wireshark and started looking to see what was
going on. We could see that the client was advertising deflate and null
compression, and that the server was responding by asking for deflate
compression. However the client would then claim that there was a
decompression error in the servers response. This opened a few lines of
enquiry. I made sure that both ends of the connection were running the
same version of OpenSSL and they were both using 0.9.8a from Ubuntu
Dapper. Interestingly 0.9.8a is the first version that had compression
support. We found a couple of suggestions including forcing connections
to be SSL2, which lacked compression or recompiling openssl without zlib
support. As the former was easier, we tried that first by putting


in /etc/apache2/mods-enabled/ssl.conf as suggested by Debian
bug #338008
, and this seemed to work for around an hour. Packet
sniffing showed that it was still negotiating SSL3 including deflate
compression. Clearly we had to try something else.

Rather than recompile OpenSSL without zlib support, I thought I’d try
upgrading the version of OpenSSL to something later in case that fixed
the decompression bug. the version in Hardy is 0.9.8g, which sadly
required recompiling and disabling the Ubuntu change to enable
-Bsymbolic-functions during linking. Installing this on the
client end didn’t fix the problem, however installing it on the server
end seemed to fix it. So far it’s been running for 24 hours without an
error, so fingers crossed that this has fixed it for good.

3 thoughts on “Bad Decompression Errors in OpenSSL 0.9.8a

  1. Hello!

    So did this solve your problem? I too have these errors, mostly after I start the Shib SP. They tend to disappear after it’s been running for a while.

    I thought it was the internal firewall but haven’t had time yet. My IDP runs on Debian Etch so it has openssl 0.9.8c-4etch1.

    Best regards,
    André Cruz

  2. Leonhard Maylein
    on said:

    We have the same problem and it also disappears after about a hour.
    IDP and SP runs on the same machine (Ubuntu 6.06 LTS) with openssl-0.9.8a-7ubuntu.
    Is there a final solution?
    Will Shibboleth v2.0 help?

  3. We also found this issue.  The Apache changes didn’t make a difference, so we simply rebuilt the CentOS 5.2 OpenSSL source RPM without zlib support.  It seems the Shibboleth guys are acknowledging the issue:

    Although their suggestions are not so elegant.  Instead of a search and replace, simply remove zlib-devel from the BuildRequires and Requires lines.  Then under the Configure statement, replace zlib with no-zlib

    This solved our issue immediately…

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>