Author Topic: specvirt-1.1 : Unsupported ciphersuite TLS_RSA_WITH_AES_128_GCM_SHA256  (Read 10847 times)

andchri

  • Newbie
  • *
  • Posts: 9
  • Karma: +1/-0
I run specvirt in a QA environment on successive os development builds and while I had a successful config for some time I  later had compatibility issues with newer openssl versions and lack of SSLv3 support.

I was very happy to see the added support for TLSv1.2 in specvirt-1.1 and am in the process of configuring this newer version to use TLSv1.2 with TLS_RSA_WITH_AES_128_GCM_SHA256, which are in spec's recommended list.

I am getting following error from the specweb workload however:
------------------------------------------------------------------------------------
/opt/SPECvirt/logs/20161118-172011
oaf783-kz-1# more client-192.168.1.8_1010.log
2016-11-18 17:20:12:132 Creating specwebclient using RMI Registry port 1010
2016-11-18 17:20:12:158 oaf783-kz-1:1010 ready...
2016-11-18 17:20:47:168 LoadGenerator: Setting sleep delay.
2016-11-18 17:20:53:596 specwebclient: setting tile ID to 0
2016-11-18 17:20:53:601 Looking up polling host: webserver:8001
2016-11-18 17:20:54:694 LoadGenerator: Ramping up for 150 seconds.
2016-11-18 17:20:54:694 LoadGenerator: Starting 2500 threads.
2016-11-18 17:20:54:781 SslConnection: [ERROR] IllegalArgumentException: java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_RSA_WITH_AES_128_GCM_SHA256
2016-11-18 17:20:54:781 SslConnection: [ERROR] IllegalArgumentException: java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_RSA_WITH_AES_128_GCM_SHA256

The relevant entries in the config files are as follows (I have added blank lines to show match in Cipher suite) :
-------------------------------------------------------------------------------------------------------------------------------------------
(/opt/SPECweb2005/Test.config snippet)
# The SSL protocol to use for secure (encrypted) connections
# The protocol MUST be one of the following: SSLv3, TLSv1, TLSv1.1, or TLSv1.2
# This field must match WEB.ENCRYPT_PROTOCOL in /opt/SPECvirt/Testbed.config
#SSL_PROTOCOL = "SSLv3"
SSL_PROTOCOL = "TLSv1.2"

# The encryption cipher used with the encyption protocol
# Note, not all combinations of encryption protocol and cipher are valid.
# See section 3.3.1 of the NIST publication 800-52 for details.
#
# Link: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
#
# The cipher MUST be one of the following:
#
# SSL_RSA_WITH_RC4_128_MD5
# TLS_RSA_WITH_3DES_EDE_CBC_SHA
# TLS_RSA_WITH_AES_128_CBC_SHA
# TLS_RSA_WITH_AES_256_CBC_SHA
# TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

# TLS_RSA_WITH_AES_128_GCM_SHA256

# TLS_RSA_WITH_AES_256_GCM_SHA384
# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#
# This field must match WEB.ENCRYPT_CIPHER in /opt/SPECvirt/Testbed.config
#SSL_CIPHER = "SSL_RSA_WITH_RC4_128_MD5"
SSL_CIPHER = "TLS_RSA_WITH_AES_128_GCM_SHA256"
#SSL_CIPHER = "TLS_RSA_WITH_AES_256_GCM_SHA384"

(/opt/SPECvirt/Testbed.config snippet)
# The encryption protocol used for client and webserver communications.
# The protocol MUST be one of the following: SSLv3, TLSv1, TLSv1.1, TLSv1.2
# This field must match SSL_PROTOCOL in /opt/SPECweb2005/Test.config
#
#WEB.ENCRYPT_PROTOCOL = "SSLv3"
WEB.ENCRYPT_PROTOCOL = "TLSv1.2"

# The encryption cipher used with the encyption protocol   
# Note, not all combinations of encryption protocol and cipher are valid. 
# See section 3.3.1 of the NIST publication 800-52 for details.
#
# Link: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf 
#
# The cipher MUST be one of the following:
#
# SSL_RSA_WITH_RC4_128_MD5
# TLS_RSA_WITH_3DES_EDE_CBC_SHA
# TLS_RSA_WITH_AES_128_CBC_SHA
# TLS_RSA_WITH_AES_256_CBC_SHA
# TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 
# TLS_RSA_WITH_AES_128_GCM_SHA256

# TLS_RSA_WITH_AES_256_GCM_SHA384
# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#
# This field must match SSL_CIPHER in /opt/SPECweb2005/Test.config
#
#WEB.ENCRYPT_CIPHER = "SSL_RSA_WITH_RC4_128_MD5"
WEB.ENCRYPT_CIPHER = "TLS_RSA_WITH_AES_128_GCM_SHA256"
#WEB.ENCRYPT_CIPHER = "TLS_RSA_WITH_AES_256_GCM_SHA384"

The above seems to match o.k.

The cipher suite also matches my setup when I test it with the openssl command line, which also proves that there are no connectivity issues.

(note I have removed the self signed signature details bellow but they are reported as normal)

oaf783-kz-1# openssl s_client -showcerts -connect webserver1:443
CONNECTED(00000004)
depth=0 <remainder removed by me>
verify error:num=18:self signed certificate
verify return:1
depth=0 <remainder removed by me>
verify return:1
---
Certificate chain
 0 s:/C=<removed by me>
   i:/C=<removed by me>
-----BEGIN CERTIFICATE-----
MIIDnjCCAoYCCQC27ymp7vvE0DANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMC
SUUxDzANBgNVBAgMBkR1YmxpbjEPMA0GA1UEBwwGRHVibGluMQ8wDQYDVQQKDAZP
cmFjbGUxDzANBgNVBAsMBlBlcmZRRTESMBAGA1UEAwwJd2Vic2VydmVyMSkwJwYJ
KoZIhvcNAQkBFhpjb2xtLmhhcnJpbmd0b25Ab3JhY2xlLmNvbTAeFw0xNjExMDQx
MDQwNDVaFw0xNzExMDQxMDQwNDVaMIGQMQswCQYDVQQGEwJJRTEPMA0GA1UECAwG
RHVibGluMQ8wDQYDVQQHDAZEdWJsaW4xDzANBgNVBAoMBk9yYWNsZTEPMA0GA1UE
CwwGUGVyZlFFMRIwEAYDVQQDDAl3ZWJzZXJ2ZXIxKTAnBgkqhkiG9w0BCQEWGmNv
bG0uaGFycmluZ3RvbkBvcmFjbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAy55DyKKh4H/IbfWv0YnBTh6ypSXWHODNg0AcD/gOIMIqBOWRlNL2
ljn8DzSyyz4RVgziZBv5S9JM9T4EME8rCd23aFkNfz5wxoR+YkqXSrkBbgh+rQ5V
002XpE07Lo9Lz5IyHkWxQwe5MAX30U7Q1FDZp5z+4Ex1RRKDfhW/tLrV7NnbDqAW
Bd2YOEDWZ+PlxsebYh9aHNzJ5V6OKa/yhBw8iboaENbwFACffKhtOzwx8wqLqcEo
sAqejyd365Pr+pYnzW4y4dwz/1GRlCPASBoYy+BtGHfnKBJwTqu43UftZ1FqmPsG
QVzuBaEhsIwDFnJy8a96jH5vO2EKH5FpvQIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
AQBDyDmn/ePoW5scmv58gi2TeW5Q9NUIK4Fkymw41FpmaRFDrsx+Xez8r+a5VKrI
ij5ALkxSoSBFdl9dNKY36DNpbgW2NhiVWQhLvJFSiC6DJRIGGkFYXNmzX+XnbVCe
yeVz5I5HTfU5qXrshtwtYgnAK8zlgCVqs8wESGgaEo6JRlt56sGE6XXOQXClL/s2
g4GxOVit6uNz2jcoV0X/seXSnp9IJdExl8BFy8OS23oF8qb8+fK7hr6w6fNI9qwM
+QXT4G0m8J5E+n/RrxFV32ZON9xy2TzHU/Wx/5oMNPtSK9CB9OgxaUwwmsNvPOhj
2Af8WROQKC5tbmdls0TSqWYJ
-----END CERTIFICATE-----
---
Server certificate
subject=<removed by me>
issuer=<removed by me>
No client certificate CA names sent
---
SSL handshake has read 1275 bytes and written 613 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-GCM-SHA256
    Session-ID: 0390ED0EA358E542E879F1881E89B8CCBACA6FFF18F7F52080E06C95C83622F2
    Session-ID-ctx:
    Master-Key: 55F78612B155A5FDCA16C8BFC1150C0301ED2677B23992093FD9B556949A356181D955DD5390171162ACD583BB6D5A4C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100 (seconds)
    TLS session ticket:
    0000 - 59 46 50 6d 47 6a 41 e4-3c 9d 85 70 d7 6c e0 a3   YFPmGjA.<..p.l..
    0010 - ed 2f c8 fa 95 da 6a 14-d0 84 3c ee 97 fb 49 be   ./....j...<...I.
    0020 - b3 76 42 0f 46 fa 44 19-36 8e ce 73 5d 07 aa 48   .vB.F.D.6..s]..H
    0030 - 10 87 b2 d0 57 3a 38 0a-4d 16 a0 00 41 cd 99 11   ....W:8.M...A...
    0040 - cf c0 b9 a2 31 bb 72 6f-17 38 80 97 e2 39 32 88   ....1.ro.8...92.
    0050 - 7e db bb 9d 8e 52 2d 16-d1 f5 2f 8e 19 ad cb 70   ~....R-.../....p
    0060 - dc 43 96 13 77 25 46 4a-1a db fc b1 26 9d 10 91   .C..w%FJ....&...
    0070 - d0 bf 98 06 a9 4f d8 55-ea f2 32 fe 82 6c bb 28   .....O.U..2..l.(
    0080 - 35 9e 5f 25 f3 82 87 88-2a c4 28 30 c0 a9 0f 1d   5._%....*.(0....
    0090 - 06 14 92 fd 27 dd e5 86-bb ab 96 8c a4 16 1f 99   ....'...........
    00a0 - fc 52 28 1f 6e c5 9f 17-18 d3 48 e5 05 75 a7 fb   .R(.n.....H..u..
    00b0 - 4f 1c 39 c9 6d ff ca 3d-be 4e 2a 80 15 21 70 62   O.9.m..=.N*..!pb

    Start Time: 1479492470
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
closed

AES128-GCM-SHA256 is in the list of ciphers on the webserver as follows
---------------------------------------------------------------------------------------------
webserver1# openssl ciphers -v | grep AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD

apache ssl.conf
-----------------------
webserver1# pwd
/etc/apache2/2.4/conf.d
webserver1# more ssl.conf
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLSessionCache        "shmcb:/var/run/apache2/2.4/ssl_scache(512000)"
SSLSessionCacheTimeout  100
Listen 443
<VirtualHost webserver:443>
SSLEngine on
SSLProtocol all -SSLv3
#SSLCipherSuite AES128-SHA256
SSLCipherSuite AES128-GCM-SHA256
#SSLCipherSuite AES256-GCM-SHA384
# SPECvirt_sc2013 changes for webserver
ServerName webserver:443
SSLCertificateFile "/etc/openssl/perfqe/server.crt"
SSLCertificateKeyFile "/etc/openssl/perfqe/server.key"
</VirtualHost>


The apache access log shows the following:
-------------------------------------------------------
192.168.1.8 - - [18/Nov/2016:17:20:46 +0000] "GET /support/init.php?BESIM_HOST=infraserver&BESIM_PORT=81&BESIM_URI=/fcgi-bin/besim_fcgi.fcgi&BESIM_PERSISTENT=false&PADDING_DIR=/var/www/html/support/dynamic_padding/&SMARTY_DIR=/var/www/ht
ml/Smarty-2.6.26/libs/&SMARTY_SUPPORT_DIR=/var/www/html/support/&SEND_CONTENT_LENGTH=true HTTP/1.1" 200 559
192.168.1.8 - - [18/Nov/2016:17:24:22 +0000] "-" 408 -
192.168.1.8 - - [18/Nov/2016:18:08:10 +0000] "-" 408 -

Software versions are as follows:

Prime client
----------------
Java(TM) SE Runtime Environment (build 1.7.0_80-b15)

webserver
---------------
Apache/2.4.23 (Unix) OpenSSL/1.0.2j

Am I missing something here?
Could this be a symptom of a different configuration mistake on my part?

Any help is greatly appreciated.

AnoopGupta

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +0/-0
Re: specvirt-1.1 : Unsupported ciphersuite TLS_RSA_WITH_AES_128_GCM_SHA256
« Reply #1 on: November 18, 2016, 02:47:40 PM »
Could you please confirm that you have setup your WebServer VM using specvirt-1.1 kit?

ChrisFloyd

  • Moderator
  • Jr. Member
  • *****
  • Posts: 52
  • Karma: +2/-0
Re: specvirt-1.1 : Unsupported ciphersuite TLS_RSA_WITH_AES_128_GCM_SHA256
« Reply #2 on: November 18, 2016, 04:19:42 PM »
Java 1.7 (at least the OpenJRE version , doesn't support the TLS_RSA_WITH_AES_128_GCM_SHA256 cipher.  As a suggestion, the following two ciphersuites should perform similar to SSLv3 on the SUT VMs (although the CPU consumption on the client/driver will likely be noticeably higher):

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

I'd recommend reviewing the documentation for your flavor of Java 1.7 (It appears your Java 1.7 is Oracle Java HotSpot, but I'm not positive) - and verify which ciphersuites are supported. (Note, some cipher suites must be explicitly enabled in the JRE settings).  Alternatively, Java 1.8 will allow a larger range of TLS ciphersuites (namely, the TLS*_GCM_* varieties). You may want to consider upgrading to 1.8 to enable and experiment with those additional cipher options.

Thanks,

Chris Floyd

andchri

  • Newbie
  • *
  • Posts: 9
  • Karma: +1/-0
Re: specvirt-1.1 : Unsupported ciphersuite TLS_RSA_WITH_AES_128_GCM_SHA256
« Reply #3 on: November 18, 2016, 06:00:58 PM »
Thanks both for the quick response.

I will try those suggestions in turn and let you know how it goes.
For what it's worth, I used the older version of Java for compatibility with the jappserver workload in my initial setup, which was quite a long time ago now.

I remember hitting a number of errors with Java 1.8 at the time using glassfish as the appserver, although I can't recall the details now. Changing to 1.7 on both the prime client and appserver vm fixed any issues with it at the time.

All the best,

Andrew

andchri

  • Newbie
  • *
  • Posts: 9
  • Karma: +1/-0
Re: specvirt-1.1 : Unsupported ciphersuite TLS_RSA_WITH_AES_128_GCM_SHA256
« Reply #4 on: November 21, 2016, 12:05:21 PM »
TLS_RSA_WITH_AES_128_CBC_SHA seems to be working fine.

thanks for that,

Andrew