SPEC Community

Product Support => SPECvirt_sc2013 => Topic started by: aakel on September 19, 2016, 02:57:28 PM

Title: Webserver VM Errors: handshake_failure
Post by: aakel on September 19, 2016, 02:57:28 PM

In running the full SPECvirt-2013 benchmark, I'm receiving the following error messages:

Clientmgr1_1088.out:-> 2016-09-19 00:41:16:544 SslConnection: [ERROR] IOException during SSL handshake: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Clientmgr1_1088.out:-> 2016-09-19 00:41:16:544 SslConnection: [ERROR] IOException during SSL handshake: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Clientmgr1_1088.out:-> 2016-09-19 00:41:22:535 Connection: [ERROR] Write to socket failed! IOException was: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Clientmgr1_1088.out:-> 2016-09-19 00:41:22:535 Connection: [ERROR] Write to socket failed! IOException was: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

I can provide the full log files, if those help out.  I looked through the documentation, and I was able to find and fix a previous problem (where SSLv3 was disabled in my version of Java).  After fixing that issue, this one cropped up.  I can validate that the web server is listening on port 443, but this issue is preventing me from moving forward.

I would appreciate any help that you all can provide.

Thanks!

Title: Re: Webserver VM Errors: handshake_failure
Post by: lroderic on September 19, 2016, 05:16:07 PM

Hello. What version of Java are you running?

On the webserver in /opt/SPECweb2005/Test.config, ensure that SSL_PROTOCOL = "SSLv3" and SSL_CIPHER = "SSL_RSA_WITH_RC4_128_MD5".

Please let us know.

Title: Re: Webserver VM Errors: handshake_failure
Post by: aakel on September 19, 2016, 05:24:57 PM

I'm using java 1.7.0_111:

Code: [Select]

[webserver1 ~]$ java -version
java version "1.7.0_111"
OpenJDK Runtime Environment (rhel-2.6.7.2.el7_2-x86_64 u111-b01)
OpenJDK 64-Bit Server VM (build 24.111-b01, mixed mode)
Both of those options are set in /opt/SPECweb2005/Test.config:

Code: [Select]

<snip>
# The SSL protocol and cipher to use for SSL connections
SSL_PROTOCOL = "SSLv3"
SSL_CIPHER = "SSL_RSA_WITH_RC4_128_MD5"
</snip>

Title: Re: Webserver VM Errors: handshake_failure
Post by: aakel on September 19, 2016, 06:14:45 PM

Also, since I saw the request in a previous post, I've also removed "SSLv3" from the jdk.tls.disabledAlgorithms:
/usr/lib/jvm/java-openjdk/jre/lib/security/java.security:

Code: [Select]

<snip>
jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 768
</snip>

Title: Re: Webserver VM Errors: handshake_failure
Post by: aakel on September 19, 2016, 11:12:20 PM

I believe I've solved the issue.  For the benefit of others who run into this problem (seems to be prevalent with modern versions of Centos: 7+).  I'm not sure which change actually fixed things (because I haven't root-caused yet), but a few changes that likely contributed include:
1. Removing "MD5withRSA" from the disabledAlgorithms field in .../jre/lib/security/java.security (since SPECvirt assumes and MD5-based SSLv3 cipher).
2. Adding "SSL_RSA_WITH_RC5_128_MD5" to the jdk.tls.legacyAlgorithms list in .../jre/lib/security/java.security.
3. Modern versions of Apache's web server appear to block MD5-based ciphers by default, so I removed "!MD5" from the SSLCipherSuite list in /etc/httpd/conf.d/ssl.conf.

Title: Re: Webserver VM Errors: handshake_failure
Post by: lroderic on September 20, 2016, 01:45:25 PM

Thanks so much for investigating this. We'll investigate as well and put this in the FAQ.

Title: Re: Webserver VM Errors: handshake_failure
Post by: aakel on October 12, 2016, 12:23:14 PM

I noticed that some of these fixes made it into a new release of SPECvirt.  How can I go about acquiring the new version?  I'm not sure that the purchasing person that SPEC will contact will know to contact me about the new version.

Title: Re: Webserver VM Errors: handshake_failure
Post by: lroderic on October 13, 2016, 03:40:36 PM

Please contact info@spec.org for your copy.

Title: Re: Webserver VM Errors: handshake_failure
Post by: tdeneau on January 18, 2017, 02:45:57 PM

A question about #2 below, should this be "SSL_RSA_WITH_RC4_128_MD5" ?

-- Tom

Quote from: aakel on September 19, 2016, 11:12:20 PM

I believe I've solved the issue.  For the benefit of others who run into this problem (seems to be prevalent with modern versions of Centos: 7+).  I'm not sure which change actually fixed things (because I haven't root-caused yet), but a few changes that likely contributed include:
1. Removing "MD5withRSA" from the disabledAlgorithms field in .../jre/lib/security/java.security (since SPECvirt assumes and MD5-based SSLv3 cipher).
2. Adding "SSL_RSA_WITH_RC5_128_MD5" to the jdk.tls.legacyAlgorithms list in .../jre/lib/security/java.security.
3. Modern versions of Apache's web server appear to block MD5-based ciphers by default, so I removed "!MD5" from the SSLCipherSuite list in /etc/httpd/conf.d/ssl.conf.

Title: Re: Webserver VM Errors: handshake_failure
Post by: AnoopGupta on January 18, 2017, 03:49:03 PM

Yes, it should have been RC4 and not RC5.

Title: Re: Webserver VM Errors: handshake_failure
Post by: lroderic on January 24, 2017, 03:12:46 PM

Thanks, Tom. We updated the Technical Support FAQ @ https://www.spec.org/virt_sc2013/docs/SPECvirt_TechnicalSupport.html with this info.

Lisa