jmeter-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Milamber <milam...@apache.org>
Subject Re: For the next release
Date Tue, 28 Aug 2012 19:23:59 GMT


Le 28/08/2012 15:26, sebb a ecrit :
> On 25 August 2012 15:22, Milamber<milamber@apache.org>  wrote:
>> Hello,
>>
>> For the next release, I propose:
>>
>> a) Since JMeter 2.4 and the capabilities to record HTTPS request by JMeter
>> proxy, I propose to remove the options "Attempt HTTPS Spoofing" and "Only
>> spoof URLS matching" on the HTTP Proxy Server element.
> OK.
>
>> b1) renew the JMeter self-certificat (current expire date is 2014-08-04, to
>> a long period (20 years)
> Not so sure about that; it was deliberately chosen to expire so it
> could not be forgotten.

Ok no changes

>
>> b2) Extract from the file proxyserver.jks the public (fake) key Apache
>> JMeter to a PEM format, in a file "proxyserver.pem".
> OK
>
>> b3) Add some sentences in the proxy documentation to invite the user to add
>> this public key as  a trusted CA in their browser or OS's certificat manager
>> to permit the recording of a https session with JMeter proxy (and remove it
>> at the end of record).
> I think that is a bad idea.
> The fake key should never be added as trusted.
> Far too easy for it to be accidentally left enabled.

In fact, even if we add the fake JMeter public key, in your trusted CA, 
we have a warning because they have a mismatching between the site name 
and common name of certificate.

Thus, the points b2 and b3 are no longer necessary.

>
>> (or Accept temporary the certificate from the browser)
> OK.
>
>> c) Make HTTPClient 3.1 to the default HTTP Request (and Proxy generated
>> request)
> Why not default to HC4 ?

To a progressive transition.
But I agree to make the HC4 the default (http request and cookie impl 
too). If everybody are ok?

>
> HC3.1 is end-of-line and won't be developed further.

Perhaps, in 2-3 JMeter versions (for example the next major X.0 version, 
we can remove Java and HC3 impl (request/cookie), to focus on HC4)

>
> If we don't feel we are ready to make HC4 the default, I think it
> should be left unchanged.
>
>> If you are OK, I can make the changes for this points.
> It would be easier to track these as separate Bugzilla issues.

I will put the tickets on bugzilla:
1) remove https spoofing and filter
2) change the default implementation to http request to HC4 (if ok)

Milamber

>
>> Thanks in advance for your feedback or your agree.
>>
>> Milamber


Mime
View raw message