Author Topic: SPECvirt WEB workload errors with cipher  (Read 8970 times)

bcarson

  • Newbie
  • *
  • Posts: 32
  • Karma: +1/-0
SPECvirt WEB workload errors with cipher
« on: May 11, 2015, 02:33:25 PM »
Hello,

Please advise on next steps.
We are actually still having issues with the cipher stuff.  Per the earlier email the expected cipher supported by the system under test is: SSLv3, cipher SSL_RSA_WITH_RC4_128_MD5.

From the client I am able to connect to the system under test successfully using openssl and the specific cipher and ssl version:

[root@g1llloadgen002 logs]# openssl s_client -cipher 'RC4-MD5' -ssl3 -connect webserver:443
CONNECTED(00000003)
depth=0 /C=XX/L=Default City/O=Default Company Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=XX/L=Default City/O=Default Company Ltd
verify return:1
---
Certificate chain
 0 s:/C=XX/L=Default City/O=Default Company Ltd
   i:/C=XX/L=Default City/O=Default Company Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICUjCCAbugAwIBAgIJAMkb2SaLrBaSMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNV
BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
Q29tcGFueSBMdGQwHhcNMTUwNTA1MjM1NzQxWhcNMTUwNjA0MjM1NzQxWjBCMQsw
CQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZh
dWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDc2IEI
AYoHHhPB/MD93DeDcLC7OuPxXR73WrcIiyRt7NSe6R+cWiiGxuex4XJzSDsWEvQv
RsspkG02eZ/NJ0pmHxDBd8rq8DkuA7krjxJHY/qDt0zfoKXf54bzbVgxD6xhf+CB
ETjCSrqLPSFyqf4nJ5XBNNPGJuwI9jtBMe8GoQIDAQABo1AwTjAdBgNVHQ4EFgQU
CGOdUUYcl5h5LzVE3CMbOL808zIwHwYDVR0jBBgwFoAUCGOdUUYcl5h5LzVE3CMb
OL808zIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQB72EfZlKbDVe0I
jubFCIWa9/mdTPJpHXIHURrO2Y0M0ligbHcIr0Pmrt3b1uRrmzTkVdoqT2q0e7mq
PN95b25dX7xuczZ5KUyc0LYVQ+cP/AEg/2zmt2DmvBihUGhO73f85QnzPrtiUrzw
HvV8OmvjAsO6x5uBZhBE+fiAumbHVA==
-----END CERTIFICATE-----
subject=/C=XX/L=Default City/O=Default Company Ltd
issuer=/C=XX/L=Default City/O=Default Company Ltd
---
No client certificate CA names sent
---
SSL handshake has read 775 bytes and written 257 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : RC4-MD5
    Session-ID: 8133AB1093A222C27E5DA858AB63E6B8C824726A856EFD3EE853FDDD5F1B4BE3
    Session-ID-ctx:
    Master-Key: 5F6D3B9DA87AAC674428C0DBD4BD21F36EF3B4DC223F407B110ECB9BD38B221AF0477062D248F7744841E715973D390C
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1431366168
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
GET /Support/ HTTP/1.1
<html><head>
              <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
              <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7">
              <meta name="viewport" content="width=device-width"><script type='text/javascript'>try{document.cookie = 'fjccheck=1';}catch(exception){}</script></head><frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
   <frame src="http://www.http.com/?ga=HmqeklKbLYewQfbEUM3m4JBMgfoAUvPF6Pdoi9NYMx8s23%2BRSrUdOHY3NX81rwnY%2BR1J5pyFO%2BgQKZmdH4g%2BXA%3D%3D&gerf=eJPijblwIkatK9bXiAJRpxMn0f6XrOFY3YJlen9yveo%3D&guro=dX1cp6tjohVsltOURHeF6SD%2FmLRonwh4JCcCbfgHiiD%2BcEExziCASIQuB8Ry2PEt&">
</frameset>
<noframes>
   <body bgcolor="#ffffff" text="#000000">
   <a href="http://www.http.com/rg-erdr.php?_rpo=t n8S7Htr&_rdm=9f1NJXWBsNf93a5.JvV&p=5f95%7C%40%7C5f95%7C%40%7Ciii.0rr+.JvV%7C%40%7CfB%7C%40%7C%7C%40%7CZzbHzEZHE%7C%40%7Czbb%7C%40%7C39%7C%40%7C%7C%40%7Ct+nh8llbj%7C%40%7Ct+7zFZKFH&ga=HmqeklKbLYewQfbEUM3m4JBMgfoAUvPF6Pdoi9NYMx8s23%2BRSrUdOHY3NX81rwnY%2BR1J5pyFO%2BgQKZmdH4g%2BXA%3D%3D&t=nfrm">Click here to proceed</a>.
   </body>
</noframes></html>

Where per: https://www.openssl.org/docs/apps/ciphers.html under ssl v3.0: SSL_RSA_WITH_RC4_128_MD5  is  RC4-MD5

To be doubly sure I reconfigured apache to accept all ssl versions and all cipher suites.  Specvirt is still complaining of the exact same ssl connection error:

2015-05-06 09:25:51:414 SPECweb_Support: [ERROR] STATE 0; makeHttpRequest() failed.
2015-05-06 09:25:51:475 SslConnection: [ERROR] IOException during SSL handshake: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2015-05-06 09:25:51:475 Connection: [ERROR] createSocket() failed.
2015-05-06 09:25:51:476 SslConnection: [ERROR] IOException during SSL handshake: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2015-05-06 09:25:51:477 Connection: [ERROR] Write to socket failed! IOException was: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropiate)
2015-05-06 09:25:51:477 SslConnection: [ERROR] IOException during SSL handshake: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

AnoopGupta

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +0/-0
Re: SPECvirt WEB workload errors with cipher
« Reply #1 on: May 11, 2015, 02:54:13 PM »
Could you please confirm that you do have the following set on your client(s)?

In SPECweb2005/Test.config:
# The SSL protocol and cipher to use for SSL connections
SSL_PROTOCOL = "SSLv3"
SSL_CIPHER = "SSL_RSA_WITH_RC4_128_MD5"



AnoopGupta

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +0/-0
Re: SPECvirt WEB workload errors with cipher
« Reply #2 on: May 11, 2015, 03:04:37 PM »
If you still see this issue:
  • Enable debugging in Test.config: DEBUG_LEVEL = 3
  • Ensure firewall is disabled
  • Attach complete client harness log file showing SSL exception

klindgren

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: SPECvirt WEB workload errors with cipher
« Reply #3 on: May 11, 2015, 04:23:00 PM »
Hello,

Please see attached log file.  Additionally, iptables is not running/enabled on any of the systems and no rules are loaded. Iptables-save on both the client and the SUT result in nothing being returned.

Additionaly,  OpenSSL is able to make this request succesfully:

[root@g1llloadgen002 SPECvirt]# openssl s_client -cipher 'RC4-MD5' -ssl3 -connect webserver:443
CONNECTED(00000003)
depth=0 /C=XX/L=Default City/O=Default Company Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=XX/L=Default City/O=Default Company Ltd
verify return:1
---
Certificate chain
 0 s:/C=XX/L=Default City/O=Default Company Ltd
   i:/C=XX/L=Default City/O=Default Company Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICUjCCAbugAwIBAgIJAMkb2SaLrBaSMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNV
BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
Q29tcGFueSBMdGQwHhcNMTUwNTA1MjM1NzQxWhcNMTUwNjA0MjM1NzQxWjBCMQsw
CQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZh
dWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDc2IEI
AYoHHhPB/MD93DeDcLC7OuPxXR73WrcIiyRt7NSe6R+cWiiGxuex4XJzSDsWEvQv
RsspkG02eZ/NJ0pmHxDBd8rq8DkuA7krjxJHY/qDt0zfoKXf54bzbVgxD6xhf+CB
ETjCSrqLPSFyqf4nJ5XBNNPGJuwI9jtBMe8GoQIDAQABo1AwTjAdBgNVHQ4EFgQU
CGOdUUYcl5h5LzVE3CMbOL808zIwHwYDVR0jBBgwFoAUCGOdUUYcl5h5LzVE3CMb
OL808zIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQB72EfZlKbDVe0I
jubFCIWa9/mdTPJpHXIHURrO2Y0M0ligbHcIr0Pmrt3b1uRrmzTkVdoqT2q0e7mq
PN95b25dX7xuczZ5KUyc0LYVQ+cP/AEg/2zmt2DmvBihUGhO73f85QnzPrtiUrzw
HvV8OmvjAsO6x5uBZhBE+fiAumbHVA==
-----END CERTIFICATE-----
subject=/C=XX/L=Default City/O=Default Company Ltd
issuer=/C=XX/L=Default City/O=Default Company Ltd
---
No client certificate CA names sent
---
SSL handshake has read 775 bytes and written 257 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : RC4-MD5
    Session-ID: 0261ABBDC5DDC6E8A53909D69F5327ECF725306407C122F4C274DF2343F267EB
    Session-ID-ctx:
    Master-Key: 880835E48A72B1F69A89ADA8A079DD91223DCF47144F316938F91AC79ACD60A207E70C99D5DD922E8BD69C11209DABEB
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1431375330
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
GET /support/index.php HTTP/1.1
HTTP/1.1 408 Request Timeout
Date: Mon, 11 May 2015 20:15:33 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16
Content-Length: 221
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>408 Request Timeout</title>
</head><body>
<h1>Request Timeout</h1>
<p>Server timeout waiting for the HTTP request from the client.</p>
</body></html>
read:errno=0
[root@g1llloadgen002 SPECvirt]#


klindgren

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: SPECvirt WEB workload errors with cipher
« Reply #4 on: May 14, 2015, 12:55:23 PM »
Bueller?

AnoopGupta

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +0/-0
Re: SPECvirt WEB workload errors with cipher
« Reply #5 on: May 14, 2015, 02:06:32 PM »
I haven't seen a response to my question:

Could you please confirm that you do have the following set on your client(s)?

In SPECweb2005/Test.config:
# The SSL protocol and cipher to use for SSL connections
SSL_PROTOCOL = "SSLv3"
SSL_CIPHER = "SSL_RSA_WITH_RC4_128_MD5"

klindgren

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: SPECvirt WEB workload errors with cipher
« Reply #6 on: May 14, 2015, 02:17:34 PM »
Yes,

SSL_PROTOCOL = "SSLv3"
SSL_CIPHER = "SSL_RSA_WITH_RC4_128_MD5"

Is set in SPECweb2005/Test.config, on both the webserver and the client server.

ChrisFloyd

  • Moderator
  • Jr. Member
  • *****
  • Posts: 52
  • Karma: +2/-0
Re: SPECvirt WEB workload errors with cipher
« Reply #7 on: May 14, 2015, 02:59:32 PM »
Which Java JRE are you using on your client?  Can you please provide the output of:

# java -version


bcarson

  • Newbie
  • *
  • Posts: 32
  • Karma: +1/-0
Re: SPECvirt WEB workload errors with cipher
« Reply #8 on: May 14, 2015, 03:06:15 PM »
[root@g1llloadgen002 opt]# java -version
java version "1.7.0_79"
Java(TM) SE Runtime Environment (build 1.7.0_79-b15)
Java HotSpot(TM) 64-Bit Server VM (build 24.79-b02, mixed mode)

AnoopGupta

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +0/-0
Re: SPECvirt WEB workload errors with cipher
« Reply #9 on: May 14, 2015, 03:40:24 PM »
As noted in: http://www.oracle.com/technetwork/java/javase/7u75-relnotes-2389086.html :

Starting with JDK 7u75 release, the SSLv3 protocol (Secure Socket Layer) has been deactivated and is not available by default. See the java.security.Security property jdk.tls.disabledAlgorithms in <JRE_HOME>/lib/security/java.security file.

If SSLv3 is absolutely required, the protocol can be reactivated by removing "SSLv3" from the jdk.tls.disabledAlgorithms property in the java.security file or by dynamically setting this Security property to "true" before JSSE is initialized.

Please let us know if this resolves the issue.

Thanks,
Anoop

klindgren

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: SPECvirt WEB workload errors with cipher
« Reply #10 on: May 14, 2015, 08:05:04 PM »
Thank you - that solved the issue.

AnoopGupta

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +0/-0
Re: SPECvirt WEB workload errors with cipher
« Reply #11 on: May 15, 2015, 04:57:45 PM »
Hi Kris,

Appreciate your update. Very glad that you got it working.

Thanks,
Anoop