SSL handshake failed (5)

[chandu-tmba]

while running apache benchmark tool with openbmc redfish , i am facing ssl handshake issue

Nuvoton OpenBMC v1.9

Steps to reproduce the behavior:

1. Run the command 'ab -s 50 -n 25 -c 1 -A root:0penBmc https:{ip}/redfish/v1/<uri's> , actually i am using shell script , which contains these kind of commands,
2. See error SSL handshake failed (5).
3. Expected behavior was 'ssl errors should not come'

[edtanous]

Have you uploaded a valid SSL certificate to your BMC?

[chandu-tmba]

no, havent uploaded any certificate

[edtanous]

That is why your test can't connect; You will either need to upload a valid certificate, or tell ab to ignore the certificate validity.

This appears to be a bug in your test setup, not in bmcweb. Closing. Feel free to reopen if there is something that appears to be incorrect with bmcweb, but for now, it appears to be working as designed.

[chandu-tmba]

by default ,one https certificare is there in bmc, under /etc/ssl/certs/https/ folder . so i am not uploading any https certificate, validaity is almost one year for this certificate. i am facing issue only when ever i ran abtool command in shell script for loop , when i am giving single abtool request manually i am not facing any issue.

[chandu-tmba]

ab -s 50 -n 25 -c 1 -A root:0penBmc https:///redfish/v1/Systems

this is the sample URI using in shell script for loop

[chandu-tmba]

please reopen the issue

[edtanous]

Please upload a valid certificate to your BMC, or set up ab to ignore certificate errors as instructed. If the problem persists after you've done so, I will reopen the issue.

The BMC certificate is self-signed by default, which will cause errors if you try to connect clients that are expecting a valid certificate.

[chandu-tmba]

still getting same error, uplaoded vlaid ssl certificate via web ui ,

certificate creation steps followed

1. openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout selfsigned.key -out selfsigned.crt -subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=Security/OU=IT Department/CN=www.example.com"
2. cat selfsigned.crt selfsigned.key > selfsigned.pem

shell script which is throwing error

!/bin/bash

a=0

while [ $a -lt 100 ] do echo "Looping ... number $a" ab -s 30 -n 25 -c 1 -A root:0penBmc https://10.0.124.89/redfish/v1/ a=expr $a + 1 done

[chandu-tmba]

i think this is something to do with ciphersuite

SSL/TLS Handshake [Start] before SSL initialization SSL/TLS State [connect] before SSL initialization SSL/TLS State [connect] SSLv3/TLS write client hello SSL handshake failed (5). SSL/TLS Handshake [Start] before SSL initialization SSL/TLS State [connect] before SSL initialization SSL/TLS State [connect] SSLv3/TLS write client hello SSL handshake failed (5). SSL/TLS Handshake [Start] before SSL initialization SSL/TLS State [connect] before SSL initialization SSL/TLS State [connect] SSLv3/TLS write client hello SSL/TLS State [connect] SSLv3/TLS write client hello SSL/TLS State [connect] SSLv3/TLS read server hello SSL/TLS State [connect] SSLv3/TLS read server certificate SSL/TLS State [connect] SSLv3/TLS read server key exchange SSL/TLS State [connect] SSLv3/TLS read server done SSL/TLS State [connect] SSLv3/TLS write client key exchange SSL/TLS State [connect] SSLv3/TLS write change cipher spec SSL/TLS State [connect] SSLv3/TLS write finished SSL/TLS State [connect] SSLv3/TLS write finished SSL/TLS State [connect] SSLv3/TLS read server session ticket SSL/TLS State [connect] SSLv3/TLS read change cipher spec SSL/TLS State [connect] SSLv3/TLS read finished SSL/TLS Handshake [Done] SSL negotiation finished successfully

this is the debug log, after client write hello, i am getting ssl handshake failure

[chandu-tmba]

this is the o/p for supported ciphersuite supported for bmcweb root@ubuntu-OptiPlex-5080:/home/ubuntu/cipherscan/cipherscan# ./cipherscan 10.0.124.81:443 ..... prio ciphersuite protocols pfs_keysize 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-521,521bits 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-521,521bits 3 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-521,521bits 4 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-521,521bits

Certificate: Not a match, UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature TLS ticket lifetime hint: 7200 OCSP stapling: not supported WARNING - None of the CNs match the hostname given Here is the list of common names found in the certificate test

[chandu-tmba]

even i tried creating CN name with hostname also , but still it is not working , i think the issue is not about certificate validity

[chandu-tmba]

the problem here is , i am facing this issue only when i am running ab command in loop using shell script, if i am running it once in command line it is working fine

[chandu-tmba]

@edtanous please check the issue

[edtanous]

the problem here is , i am facing this issue only when i am running ab command in loop using shell script, if i am running it once in command line it is working fine

This wasn't in your steps to reproduce originally. If it had been, we likely would've given you the answer faster.

Looking at your script, I'm going to guess that ab isn't closing the connections properly and bmcweb is hitting its connection limit. The connection limits are by design to protect the rest of the BMC, and based on your scripts seem to be working properly, as you're spinning up 25 requests per loop. Unless there's more information here that leads me to believe this is an actual issue, or someone else reports the same, I'm going to leave this closed, as it sounds like you were able to get ab to work per your original instructions.

With that said, if you've root caused this further and this this is a coding bug, feel free to provide more information or ideally a patch to fix the behavior you're seeing, but with the information above, this looks like bmcweb is working.

WARNING - None of the CNs match the hostname given Here is the list of common names found in the certificate test

FYI This would imply that you haven't uploaded a valid and trusted certificate, although your problems seem to lie elsewhere.