Re: HttpClient SSL Handshake and self-signed certificate

Stuart Barlow Fri, 28 Oct 2016 03:42:25 -0700

Hi Ivan,

Thanks for your reply and the suggestions. I did give them all a trybut none worked. I eventually figured out what the problem is but mightstill need some advice on how to handle it.

There's an HTTP proxy in place in the intranet I work on and thewebsite I'm testing goes through the proxy for most things but for somepages (and for some nested resources like images) there is a directconnection.

In JMeter I don't see a way to tell it to ignore the proxy forparticular HTTP URL patterns. Does anyone know of a way to do this?Otherwise I'll install my own local proxy instance and configure it toredirect the requests as necessary.


Stuart

On 14.10.2016 15:13, Ivan Rancati wrote:

hi,
No idea whether JMeter validates the hostname. I thought not, as Ihavesome tests that access the server by IP address, and the servercertificate
has a hostname.
A couple of ideas to try to narrow down the problem

- check jmeter.log
You should see some INFO entries from jmeter.util.SSLManager, see ifyour
keystore and aliases are loaded as expected.
- java keytool problems
I once could not get the keytool to work (it might have been aOpenJDK on
Linux issue, I did not get around to try with Oracle JDK); I exported
certificate/key to a .p12 file instead and it worked.
Btw, for quicker troubleshooting, you can also pass all the SSLoptionsdirectly from the command line, as opposite to editingjmeter.properties,
i.e.
-Djavax.net.ssl.keyStoreType=PKCS12

hope this helps
Ivan
On Fri, Oct 14, 2016 at 12:35 PM, Stuart Barlow<[email protected]>
wrote:
Hi
In test environments self-signed certificates are common and they'renotalways created in the right way. I'm trying to connect via HTTPSRequest toa website that uses a self-signed cert where the hostname is notcorrectlyset inside the cert. The CN field has a value like "test-web-cert"and that
cert is also used by two different domains. It's deployed for both
https://www.test1.thirdpartywebsite.com andhttps://www.test2.thirdpartywe
bsite.com
I can access these websites from a browser and can view thecertificatethis way. The browser is more forgiving than JMeter. I triedexporting itfrom the browser and importing into the truststore used by JMeter (Iset
javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword in
system.properties) and also into the cacerts in my JRE lib/securityfolder.
Both of these didn't work.

I always see this in the Response Tab of a Results Tree:

java.net.SocketTimeoutException: Read timed out
        at java.net.SocketInputStream.socketRead0(Native Method)
atjava.net.SocketInputStream.socketRead(SocketInputStream.java
:116)
atjava.net.SocketInputStream.read(SocketInputStream.java:170)atjava.net.SocketInputStream.read(SocketInputStream.java:141)atsun.security.ssl.InputRecord.readFully(InputRecord.java:465)
        at sun.security.ssl.InputRecord.read(InputRecord.java:503)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.
java:973)
atsun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo
cketImpl.java:1375)
atsun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
java:1403)
atsun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
java:1387)
atorg.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocke
t(SSLSocketFactory.java:573)
atorg.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocke
t(SSLSocketFactory.java:447)
atorg.apache.jmeter.protocol.http.sampler.LazySchemeSocketFact
ory.createLayeredSocket(LazySchemeSocketFactory.java:121)
atorg.apache.http.impl.conn.DefaultClientConnectionOperator.
updateSecureConnection(DefaultClientConnectionOperator.java:219)
atorg.apache.http.impl.conn.ManagedClientConnectionImpl.layerP
rotocol(ManagedClientConnectionImpl.java:421)
atorg.apache.jmeter.protocol.http.sampler.MeasuringConnectionM
anager$MeasuredConnection.layerProtocol(MeasuringConnectionM
anager.java:152)
atorg.apache.http.impl.client.DefaultRequestDirector.establish
Route(DefaultRequestDirector.java:815)
atorg.apache.http.impl.client.DefaultRequestDirector.tryConnec
t(DefaultRequestDirector.java:616)
atorg.apache.http.impl.client.DefaultRequestDirector.execute(D
efaultRequestDirector.java:447)
atorg.apache.http.impl.client.AbstractHttpClient.doExecute(Abs
tractHttpClient.java:884)
atorg.apache.http.impl.client.CloseableHttpClient.execute(Clos
eableHttpClient.java:82)
atorg.apache.http.impl.client.CloseableHttpClient.execute(Clos
eableHttpClient.java:55)
atorg.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.executeR
equest(HTTPHC4Impl.java:619)
atorg.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.sample(
HTTPHC4Impl.java:379)
atorg.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sam
ple(HTTPSamplerProxy.java:74)
atorg.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.samp
le(HTTPSamplerBase.java:1146)
atorg.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.samp
le(HTTPSamplerBase.java:1135)
atorg.apache.jmeter.threads.JMeterThread.executeSamplePackage(
JMeterThread.java:465)
atorg.apache.jmeter.threads.JMeterThread.processSampler(JMeter
Thread.java:410)
atorg.apache.jmeter.threads.JMeterThread.run(JMeterThread.java
:241)
        at java.lang.Thread.run(Thread.java:745)
My theory at the moment is that the SSL handshake is dropped becauseof
hostname validation. I'm trying to connect to
https://www.test1.thirdpartywebsite.com but the certificate contains
value test-web-cert. They don't match so the connection is dropped.I'mable to use curl with the -k option to retrieve the content ifthat's
relevant.

Can anyone tell me if there is a way in JMeter to disable hostname
validation during SSL Handshake?


Thanks,

Stuart


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: HttpClient SSL Handshake and self-signed certificate

Reply via email to