SPEC Community
Product Support => SPECvirt_sc2013 => Topic started by: aakel on September 19, 2016, 02:57:28 PM
-
In running the full SPECvirt-2013 benchmark, I'm receiving the following error messages:
Clientmgr1_1088.out:-> 2016-09-19 00:41:16:544 SslConnection: [ERROR] IOException during SSL handshake: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Clientmgr1_1088.out:-> 2016-09-19 00:41:16:544 SslConnection: [ERROR] IOException during SSL handshake: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Clientmgr1_1088.out:-> 2016-09-19 00:41:22:535 Connection: [ERROR] Write to socket failed! IOException was: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Clientmgr1_1088.out:-> 2016-09-19 00:41:22:535 Connection: [ERROR] Write to socket failed! IOException was: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
I can provide the full log files, if those help out. I looked through the documentation, and I was able to find and fix a previous problem (where SSLv3 was disabled in my version of Java). After fixing that issue, this one cropped up. I can validate that the web server is listening on port 443, but this issue is preventing me from moving forward.
I would appreciate any help that you all can provide.
Thanks!
-
Hello. What version of Java are you running?
On the webserver in /opt/SPECweb2005/Test.config, ensure that SSL_PROTOCOL = "SSLv3" and SSL_CIPHER = "SSL_RSA_WITH_RC4_128_MD5".
Please let us know.
-
I'm using java 1.7.0_111:
[webserver1 ~]$ java -version
java version "1.7.0_111"
OpenJDK Runtime Environment (rhel-2.6.7.2.el7_2-x86_64 u111-b01)
OpenJDK 64-Bit Server VM (build 24.111-b01, mixed mode)
Both of those options are set in /opt/SPECweb2005/Test.config:
<snip>
# The SSL protocol and cipher to use for SSL connections
SSL_PROTOCOL = "SSLv3"
SSL_CIPHER = "SSL_RSA_WITH_RC4_128_MD5"
</snip>
-
Also, since I saw the request in a previous post, I've also removed "SSLv3" from the jdk.tls.disabledAlgorithms:
/usr/lib/jvm/java-openjdk/jre/lib/security/java.security:
<snip>
jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 768
</snip>
-
I believe I've solved the issue. For the benefit of others who run into this problem (seems to be prevalent with modern versions of Centos: 7+). I'm not sure which change actually fixed things (because I haven't root-caused yet), but a few changes that likely contributed include:
1. Removing "MD5withRSA" from the disabledAlgorithms field in .../jre/lib/security/java.security (since SPECvirt assumes and MD5-based SSLv3 cipher).
2. Adding "SSL_RSA_WITH_RC5_128_MD5" to the jdk.tls.legacyAlgorithms list in .../jre/lib/security/java.security.
3. Modern versions of Apache's web server appear to block MD5-based ciphers by default, so I removed "!MD5" from the SSLCipherSuite list in /etc/httpd/conf.d/ssl.conf.
-
Thanks so much for investigating this. We'll investigate as well and put this in the FAQ.
-
I noticed that some of these fixes made it into a new release of SPECvirt. How can I go about acquiring the new version? I'm not sure that the purchasing person that SPEC will contact will know to contact me about the new version.
-
Please contact info@spec.org for your copy.
-
A question about #2 below, should this be "SSL_RSA_WITH_RC4_128_MD5" ?
-- Tom
I believe I've solved the issue. For the benefit of others who run into this problem (seems to be prevalent with modern versions of Centos: 7+). I'm not sure which change actually fixed things (because I haven't root-caused yet), but a few changes that likely contributed include:
1. Removing "MD5withRSA" from the disabledAlgorithms field in .../jre/lib/security/java.security (since SPECvirt assumes and MD5-based SSLv3 cipher).
2. Adding "SSL_RSA_WITH_RC5_128_MD5" to the jdk.tls.legacyAlgorithms list in .../jre/lib/security/java.security.
3. Modern versions of Apache's web server appear to block MD5-based ciphers by default, so I removed "!MD5" from the SSLCipherSuite list in /etc/httpd/conf.d/ssl.conf.
-
Yes, it should have been RC4 and not RC5.
-
Thanks, Tom. We updated the Technical Support FAQ @ https://www.spec.org/virt_sc2013/docs/SPECvirt_TechnicalSupport.html with this info.
Lisa