Author Topic: Webserver VM Errors: handshake_failure  (Read 14795 times)

aakel

  • Newbie
  • *
  • Posts: 17
  • Karma: +3/-0
Webserver VM Errors: handshake_failure
« on: September 19, 2016, 02:57:28 PM »
In running the full SPECvirt-2013 benchmark, I'm receiving the following error messages:

Clientmgr1_1088.out:-> 2016-09-19 00:41:16:544 SslConnection: [ERROR] IOException during SSL handshake: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Clientmgr1_1088.out:-> 2016-09-19 00:41:16:544 SslConnection: [ERROR] IOException during SSL handshake: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Clientmgr1_1088.out:-> 2016-09-19 00:41:22:535 Connection: [ERROR] Write to socket failed! IOException was: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Clientmgr1_1088.out:-> 2016-09-19 00:41:22:535 Connection: [ERROR] Write to socket failed! IOException was: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

I can provide the full log files, if those help out.  I looked through the documentation, and I was able to find and fix a previous problem (where SSLv3 was disabled in my version of Java).  After fixing that issue, this one cropped up.  I can validate that the web server is listening on port 443, but this issue is preventing me from moving forward.

I would appreciate any help that you all can provide.

Thanks!

lroderic

  • Moderator
  • Full Member
  • *****
  • Posts: 167
  • Karma: +6/-0
Re: Webserver VM Errors: handshake_failure
« Reply #1 on: September 19, 2016, 05:16:07 PM »
Hello. What version of Java are you running?

On the webserver in /opt/SPECweb2005/Test.config, ensure that SSL_PROTOCOL = "SSLv3" and SSL_CIPHER = "SSL_RSA_WITH_RC4_128_MD5".

Please let us know.

aakel

  • Newbie
  • *
  • Posts: 17
  • Karma: +3/-0
Re: Webserver VM Errors: handshake_failure
« Reply #2 on: September 19, 2016, 05:24:57 PM »
I'm using java 1.7.0_111:
Code: [Select]
[webserver1 ~]$ java -version
java version "1.7.0_111"
OpenJDK Runtime Environment (rhel-2.6.7.2.el7_2-x86_64 u111-b01)
OpenJDK 64-Bit Server VM (build 24.111-b01, mixed mode)

Both of those options are set in /opt/SPECweb2005/Test.config:
Code: [Select]
<snip>
# The SSL protocol and cipher to use for SSL connections
SSL_PROTOCOL = "SSLv3"
SSL_CIPHER = "SSL_RSA_WITH_RC4_128_MD5"
</snip>

aakel

  • Newbie
  • *
  • Posts: 17
  • Karma: +3/-0
Re: Webserver VM Errors: handshake_failure
« Reply #3 on: September 19, 2016, 06:14:45 PM »
Also, since I saw the request in a previous post, I've also removed "SSLv3" from the jdk.tls.disabledAlgorithms:
/usr/lib/jvm/java-openjdk/jre/lib/security/java.security:

Code: [Select]
<snip>
jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 768
</snip>

aakel

  • Newbie
  • *
  • Posts: 17
  • Karma: +3/-0
Re: Webserver VM Errors: handshake_failure
« Reply #4 on: September 19, 2016, 11:12:20 PM »
I believe I've solved the issue.  For the benefit of others who run into this problem (seems to be prevalent with modern versions of Centos: 7+).  I'm not sure which change actually fixed things (because I haven't root-caused yet), but a few changes that likely contributed include:
1. Removing "MD5withRSA" from the disabledAlgorithms field in .../jre/lib/security/java.security (since SPECvirt assumes and MD5-based SSLv3 cipher).
2. Adding "SSL_RSA_WITH_RC5_128_MD5" to the jdk.tls.legacyAlgorithms list in .../jre/lib/security/java.security.
3. Modern versions of Apache's web server appear to block MD5-based ciphers by default, so I removed "!MD5" from the SSLCipherSuite list in /etc/httpd/conf.d/ssl.conf.

lroderic

  • Moderator
  • Full Member
  • *****
  • Posts: 167
  • Karma: +6/-0
Re: Webserver VM Errors: handshake_failure
« Reply #5 on: September 20, 2016, 01:45:25 PM »
Thanks so much for investigating this. We'll investigate as well and put this in the FAQ.

aakel

  • Newbie
  • *
  • Posts: 17
  • Karma: +3/-0
Re: Webserver VM Errors: handshake_failure
« Reply #6 on: October 12, 2016, 12:23:14 PM »
I noticed that some of these fixes made it into a new release of SPECvirt.  How can I go about acquiring the new version?  I'm not sure that the purchasing person that SPEC will contact will know to contact me about the new version.

lroderic

  • Moderator
  • Full Member
  • *****
  • Posts: 167
  • Karma: +6/-0
Re: Webserver VM Errors: handshake_failure
« Reply #7 on: October 13, 2016, 03:40:36 PM »
Please contact info@spec.org for your copy.

tdeneau

  • Jr. Member
  • **
  • Posts: 51
  • Karma: +1/-1
Re: Webserver VM Errors: handshake_failure
« Reply #8 on: January 18, 2017, 02:45:57 PM »
A question about #2 below, should this be "SSL_RSA_WITH_RC4_128_MD5" ?

-- Tom

I believe I've solved the issue.  For the benefit of others who run into this problem (seems to be prevalent with modern versions of Centos: 7+).  I'm not sure which change actually fixed things (because I haven't root-caused yet), but a few changes that likely contributed include:
1. Removing "MD5withRSA" from the disabledAlgorithms field in .../jre/lib/security/java.security (since SPECvirt assumes and MD5-based SSLv3 cipher).
2. Adding "SSL_RSA_WITH_RC5_128_MD5" to the jdk.tls.legacyAlgorithms list in .../jre/lib/security/java.security.
3. Modern versions of Apache's web server appear to block MD5-based ciphers by default, so I removed "!MD5" from the SSLCipherSuite list in /etc/httpd/conf.d/ssl.conf.

AnoopGupta

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +0/-0
Re: Webserver VM Errors: handshake_failure
« Reply #9 on: January 18, 2017, 03:49:03 PM »
Yes, it should have been RC4 and not RC5.

lroderic

  • Moderator
  • Full Member
  • *****
  • Posts: 167
  • Karma: +6/-0
Re: Webserver VM Errors: handshake_failure
« Reply #10 on: January 24, 2017, 03:12:46 PM »
Thanks, Tom. We updated the Technical Support FAQ @ https://www.spec.org/virt_sc2013/docs/SPECvirt_TechnicalSupport.html with this info.

Lisa