I run specvirt in a QA environment on successive os development builds and while I had a successful config for some time I later had compatibility issues with newer openssl versions and lack of SSLv3 support.
I was very happy to see the added support for TLSv1.2 in specvirt-1.1 and am in the process of configuring this newer version to use TLSv1.2 with TLS_RSA_WITH_AES_128_GCM_SHA256, which are in spec's recommended list.
I am getting following error from the specweb workload however:
------------------------------------------------------------------------------------
/opt/SPECvirt/logs/20161118-172011
oaf783-kz-1# more client-192.168.1.8_1010.log
2016-11-18 17:20:12:132 Creating specwebclient using RMI Registry port 1010
2016-11-18 17:20:12:158 oaf783-kz-1:1010 ready...
2016-11-18 17:20:47:168 LoadGenerator: Setting sleep delay.
2016-11-18 17:20:53:596 specwebclient: setting tile ID to 0
2016-11-18 17:20:53:601 Looking up polling host: webserver:8001
2016-11-18 17:20:54:694 LoadGenerator: Ramping up for 150 seconds.
2016-11-18 17:20:54:694 LoadGenerator: Starting 2500 threads.
2016-11-18 17:20:54:781 SslConnection: [ERROR] IllegalArgumentException: java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_RSA_WITH_AES_128_GCM_SHA256
2016-11-18 17:20:54:781 SslConnection: [ERROR] IllegalArgumentException: java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_RSA_WITH_AES_128_GCM_SHA256
The relevant entries in the config files are as follows (I have added blank lines to show match in Cipher suite) :
-------------------------------------------------------------------------------------------------------------------------------------------
(/opt/SPECweb2005/Test.config snippet)
# The SSL protocol to use for secure (encrypted) connections
# The protocol MUST be one of the following: SSLv3, TLSv1, TLSv1.1, or TLSv1.2
# This field must match WEB.ENCRYPT_PROTOCOL in /opt/SPECvirt/Testbed.config
#SSL_PROTOCOL = "SSLv3"
SSL_PROTOCOL = "TLSv1.2"
# The encryption cipher used with the encyption protocol
# Note, not all combinations of encryption protocol and cipher are valid.
# See section 3.3.1 of the NIST publication 800-52 for details.
#
# Link:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf#
# The cipher MUST be one of the following:
#
# SSL_RSA_WITH_RC4_128_MD5
# TLS_RSA_WITH_3DES_EDE_CBC_SHA
# TLS_RSA_WITH_AES_128_CBC_SHA
# TLS_RSA_WITH_AES_256_CBC_SHA
# TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# TLS_RSA_WITH_AES_128_GCM_SHA256
# TLS_RSA_WITH_AES_256_GCM_SHA384
# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#
# This field must match WEB.ENCRYPT_CIPHER in /opt/SPECvirt/Testbed.config
#SSL_CIPHER = "SSL_RSA_WITH_RC4_128_MD5"
SSL_CIPHER = "TLS_RSA_WITH_AES_128_GCM_SHA256"
#SSL_CIPHER = "TLS_RSA_WITH_AES_256_GCM_SHA384"
(/opt/SPECvirt/Testbed.config snippet)
# The encryption protocol used for client and webserver communications.
# The protocol MUST be one of the following: SSLv3, TLSv1, TLSv1.1, TLSv1.2
# This field must match SSL_PROTOCOL in /opt/SPECweb2005/Test.config
#
#WEB.ENCRYPT_PROTOCOL = "SSLv3"
WEB.ENCRYPT_PROTOCOL = "TLSv1.2"
# The encryption cipher used with the encyption protocol
# Note, not all combinations of encryption protocol and cipher are valid.
# See section 3.3.1 of the NIST publication 800-52 for details.
#
# Link:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf #
# The cipher MUST be one of the following:
#
# SSL_RSA_WITH_RC4_128_MD5
# TLS_RSA_WITH_3DES_EDE_CBC_SHA
# TLS_RSA_WITH_AES_128_CBC_SHA
# TLS_RSA_WITH_AES_256_CBC_SHA
# TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# TLS_RSA_WITH_AES_128_GCM_SHA256
# TLS_RSA_WITH_AES_256_GCM_SHA384
# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#
# This field must match SSL_CIPHER in /opt/SPECweb2005/Test.config
#
#WEB.ENCRYPT_CIPHER = "SSL_RSA_WITH_RC4_128_MD5"
WEB.ENCRYPT_CIPHER = "TLS_RSA_WITH_AES_128_GCM_SHA256"
#WEB.ENCRYPT_CIPHER = "TLS_RSA_WITH_AES_256_GCM_SHA384"
The above seems to match o.k.
The cipher suite also matches my setup when I test it with the openssl command line, which also proves that there are no connectivity issues.
(note I have removed the self signed signature details bellow but they are reported as normal)
oaf783-kz-1# openssl s_client -showcerts -connect webserver1:443
CONNECTED(00000004)
depth=0 <remainder removed by me>
verify error:num=18:self signed certificate
verify return:1
depth=0 <remainder removed by me>
verify return:1
---
Certificate chain
0 s:/C=<removed by me>
i:/C=<removed by me>
-----BEGIN CERTIFICATE-----
MIIDnjCCAoYCCQC27ymp7vvE0DANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMC
SUUxDzANBgNVBAgMBkR1YmxpbjEPMA0GA1UEBwwGRHVibGluMQ8wDQYDVQQKDAZP
cmFjbGUxDzANBgNVBAsMBlBlcmZRRTESMBAGA1UEAwwJd2Vic2VydmVyMSkwJwYJ
KoZIhvcNAQkBFhpjb2xtLmhhcnJpbmd0b25Ab3JhY2xlLmNvbTAeFw0xNjExMDQx
MDQwNDVaFw0xNzExMDQxMDQwNDVaMIGQMQswCQYDVQQGEwJJRTEPMA0GA1UECAwG
RHVibGluMQ8wDQYDVQQHDAZEdWJsaW4xDzANBgNVBAoMBk9yYWNsZTEPMA0GA1UE
CwwGUGVyZlFFMRIwEAYDVQQDDAl3ZWJzZXJ2ZXIxKTAnBgkqhkiG9w0BCQEWGmNv
bG0uaGFycmluZ3RvbkBvcmFjbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAy55DyKKh4H/IbfWv0YnBTh6ypSXWHODNg0AcD/gOIMIqBOWRlNL2
ljn8DzSyyz4RVgziZBv5S9JM9T4EME8rCd23aFkNfz5wxoR+YkqXSrkBbgh+rQ5V
002XpE07Lo9Lz5IyHkWxQwe5MAX30U7Q1FDZp5z+4Ex1RRKDfhW/tLrV7NnbDqAW
Bd2YOEDWZ+PlxsebYh9aHNzJ5V6OKa/yhBw8iboaENbwFACffKhtOzwx8wqLqcEo
sAqejyd365Pr+pYnzW4y4dwz/1GRlCPASBoYy+BtGHfnKBJwTqu43UftZ1FqmPsG
QVzuBaEhsIwDFnJy8a96jH5vO2EKH5FpvQIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
AQBDyDmn/ePoW5scmv58gi2TeW5Q9NUIK4Fkymw41FpmaRFDrsx+Xez8r+a5VKrI
ij5ALkxSoSBFdl9dNKY36DNpbgW2NhiVWQhLvJFSiC6DJRIGGkFYXNmzX+XnbVCe
yeVz5I5HTfU5qXrshtwtYgnAK8zlgCVqs8wESGgaEo6JRlt56sGE6XXOQXClL/s2
g4GxOVit6uNz2jcoV0X/seXSnp9IJdExl8BFy8OS23oF8qb8+fK7hr6w6fNI9qwM
+QXT4G0m8J5E+n/RrxFV32ZON9xy2TzHU/Wx/5oMNPtSK9CB9OgxaUwwmsNvPOhj
2Af8WROQKC5tbmdls0TSqWYJ
-----END CERTIFICATE-----
---
Server certificate
subject=<removed by me>
issuer=<removed by me>
No client certificate CA names sent
---
SSL handshake has read 1275 bytes and written 613 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-GCM-SHA256
Session-ID: 0390ED0EA358E542E879F1881E89B8CCBACA6FFF18F7F52080E06C95C83622F2
Session-ID-ctx:
Master-Key: 55F78612B155A5FDCA16C8BFC1150C0301ED2677B23992093FD9B556949A356181D955DD5390171162ACD583BB6D5A4C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100 (seconds)
TLS session ticket:
0000 - 59 46 50 6d 47 6a 41 e4-3c 9d 85 70 d7 6c e0 a3 YFPmGjA.<..p.l..
0010 - ed 2f c8 fa 95 da 6a 14-d0 84 3c ee 97 fb 49 be ./....j...<...I.
0020 - b3 76 42 0f 46 fa 44 19-36 8e ce 73 5d 07 aa 48 .vB.F.D.6..s]..H
0030 - 10 87 b2 d0 57 3a 38 0a-4d 16 a0 00 41 cd 99 11 ....W:8.M...A...
0040 - cf c0 b9 a2 31 bb 72 6f-17 38 80 97 e2 39 32 88 ....1.ro.8...92.
0050 - 7e db bb 9d 8e 52 2d 16-d1 f5 2f 8e 19 ad cb 70 ~....R-.../....p
0060 - dc 43 96 13 77 25 46 4a-1a db fc b1 26 9d 10 91 .C..w%FJ....&...
0070 - d0 bf 98 06 a9 4f d8 55-ea f2 32 fe 82 6c bb 28 .....O.U..2..l.(
0080 - 35 9e 5f 25 f3 82 87 88-2a c4 28 30 c0 a9 0f 1d 5._%....*.(0....
0090 - 06 14 92 fd 27 dd e5 86-bb ab 96 8c a4 16 1f 99 ....'...........
00a0 - fc 52 28 1f 6e c5 9f 17-18 d3 48 e5 05 75 a7 fb .R(.n.....H..u..
00b0 - 4f 1c 39 c9 6d ff ca 3d-be 4e 2a 80 15 21 70 62 O.9.m..=.N*..!pb
Start Time: 1479492470
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
closed
AES128-GCM-SHA256 is in the list of ciphers on the webserver as follows
---------------------------------------------------------------------------------------------
webserver1# openssl ciphers -v | grep AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
apache ssl.conf
-----------------------
webserver1# pwd
/etc/apache2/2.4/conf.d
webserver1# more ssl.conf
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLSessionCache "shmcb:/var/run/apache2/2.4/ssl_scache(512000)"
SSLSessionCacheTimeout 100
Listen 443
<VirtualHost webserver:443>
SSLEngine on
SSLProtocol all -SSLv3
#SSLCipherSuite AES128-SHA256
SSLCipherSuite AES128-GCM-SHA256
#SSLCipherSuite AES256-GCM-SHA384
# SPECvirt_sc2013 changes for webserver
ServerName webserver:443
SSLCertificateFile "/etc/openssl/perfqe/server.crt"
SSLCertificateKeyFile "/etc/openssl/perfqe/server.key"
</VirtualHost>
The apache access log shows the following:
-------------------------------------------------------
192.168.1.8 - - [18/Nov/2016:17:20:46 +0000] "GET /support/init.php?BESIM_HOST=infraserver&BESIM_PORT=81&BESIM_URI=/fcgi-bin/besim_fcgi.fcgi&BESIM_PERSISTENT=false&PADDING_DIR=/var/www/html/support/dynamic_padding/&SMARTY_DIR=/var/www/ht
ml/Smarty-2.6.26/libs/&SMARTY_SUPPORT_DIR=/var/www/html/support/&SEND_CONTENT_LENGTH=true HTTP/1.1" 200 559
192.168.1.8 - - [18/Nov/2016:17:24:22 +0000] "-" 408 -
192.168.1.8 - - [18/Nov/2016:18:08:10 +0000] "-" 408 -
Software versions are as follows:
Prime client
----------------
Java(TM) SE Runtime Environment (build 1.7.0_80-b15)
webserver
---------------
Apache/2.4.23 (Unix) OpenSSL/1.0.2j
Am I missing something here?
Could this be a symptom of a different configuration mistake on my part?
Any help is greatly appreciated.