Hello, See: http://jmeter.apache.org/usermanual/properties_reference.html#test_script_recorder_cert
The property is: proxy.cert.validity How would you like it improved ? Thanks On Thu, Jul 19, 2018 at 2:50 PM, Srijon Das <[email protected]> wrote: > As a longtime jmeter user, I would like the option to decide how long my > certificates will be valid, 1 week, 2 weeks, 3 weeks etc. And perhaps a > warning describing the consequences of the security vulnerabilities. > > Most jmeter users, I feel will be in a position to judge the security risk > themselves and use the certificate accordingly. > > Sent from my iPhone > > > On Jul 19, 2018, at 4:06 AM, Milamber <[email protected]> wrote: > > > > > > > >> On 19/07/2018 11:03, Philippe Mouawad wrote: > >>> On Thu, Jul 19, 2018 at 11:56 AM, sebb <[email protected]> wrote: > >>> > >>> On 19 July 2018 at 10:34, Philippe Mouawad <[email protected] > > > >>> wrote: > >>>> On Thu, Jul 19, 2018 at 11:31 AM, sebb <[email protected]> wrote: > >>>> > >>>>> On 19 July 2018 at 10:28, Philippe Mouawad < > [email protected]> > >>>>> wrote: > >>>>>> Hello sebb, > >>>>>> > >>>>>> Yes users can change, but once again, it means adjusting defaults, > >>>>> knowing > >>>>>> they can be adjusted and which property it is. > >>>>> That can be documented. > >>>>> > >>>> Which means all users read the whole documentation, do you think they > do > >>> ? > >>>> I guess you know the famous RTFM :-) > >>>> > >>>> > >>>>>> Why not make defaults better for usability ? > >>>>> Because it compromises security. > >>>>> > >>>> Can you give more details ? > >>> The point of a CA is to certify that a certificate chain is valid. > >>> Locally generated CA certs do not do this. > >>> Once the cert has been approved by the browser, it can be used to > >>> certify anything, including a spoof bank site etc. > >>> > >>> JMeter users may not understand that, and so may not take sufficient > >>> care of the certificate and its password. > >>> Or they may forget that the cert has been added to the browser. > >>> > >>> Even some official CAs have inadvertently exposed their certs. > >>> > >>> I don't think we should ship JMeter with deliberately weak settings. > >>> > >>> Yes it may be inconvenient, but it is deliberately done to minimise > >>> the effects of accidental certificate exposure. > >>> > >>> Users that understand the risks can override the setting, but that is > >>> at their own risk. > >>> > >>> Remember that once the browser has stored the CA, it will be active > >>> regardless of whether JMeter is actually being used. > >>> So the sooner it expires, the safer it is. > >>> Maybe a week is too *long*. > >>> > >> I am aware of that, but it means attacker has accessed the machine of > user > >> to get the CA. > >> So the JMeter side is only a consequence, not root cause > > > > > > The risk is the same if the duration is 7 days or 3 months, because the > attacker need to have access to the private key of the temp JMeter CA root > to generate some fake cert signed by the CA. This private key is on the > machine (keystore.jks) > > And if an attacker have already an access to the machine, it's can add > directly another CA (not JMeter CA) into the certs vault on the machine, to > made some malicious opérations... > > > > 3 months seems good for me (this is the mean duration for my load test > missions) > > > > > > > > > > > >> > >>>>>> It looks like 3 months would be good for Bruno, Antonio, me. > >>>>>> Is it really a blocker for you ? if yes why ? > >>>>> As above. > >>>>> > >>>>>> @Others what's your opinion ? > >>>>>> > >>>>>> Thanks > >>>>>> > >>>>>> > >>>>>> > >>>>>>> On Thu, Jul 19, 2018 at 10:55 AM, sebb <[email protected]> wrote: > >>>>>>> > >>>>>>> It's a trade-off between convenience and security. > >>>>>>> > >>>>>>> It's risky adding the certificate to the browser. > >>>>>>> > >>>>>>> I don't think the default should be changed. > >>>>>>> > >>>>>>> Users can always change it themselves if they accept the risks. > >>>>>>> E.g. if they use a separate browser installation that has > >>> certificate, > >>>>>>> then a longer validity is more sensible. > >>>>>>> It's too easy to forget that the cert has been added to the > browser. > >>>>>>> > >>>>>>> S. > >>>>>>> On 19 July 2018 at 09:35, Antonio Gomes Rodrigues < > [email protected]> > >>>>>>> wrote: > >>>>>>>> +1 for me > >>>>>>>> > >>>>>>>> Le jeu. 19 juil. 2018 à 10:27, Philippe Mouawad < > >>>>>>>> [email protected]> a écrit : > >>>>>>>> > >>>>>>>>> Hello, > >>>>>>>>> Currently : > >>>>>>>>> > >>>>>>>>> - proxy.cert.validity=7 > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> This is annoying for users who must remember to add the ROOT > >>> JMeter > >>>>>>>>> certificate to browser every week . > >>>>>>>>> > >>>>>>>>> I would suggest setting it to 1 year or at least 1 month. > >>>>>>>>> > >>>>>>>>> Regards > >>>>>>>>> Philippe > >>>>>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Cordialement. > >>>>>> Philippe Mouawad. > >>>> > >>>> > >>>> -- > >>>> Cordialement. > >>>> Philippe Mouawad. > >> > >> > > > -- Cordialement. Philippe Mouawad.
