jmeter-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Milamber <milam...@apache.org>
Subject Re: SSL Proxy recording - testing help needed
Date Wed, 11 Sep 2013 18:54:33 GMT

Le 11/09/2013 19:25, sebb a ecrit :
> On 11 September 2013 18:59, Milamber <milamber@apache.org> wrote:
>> I've made some test on my system (Linux Debian + GNOME (with network-manager
>> to manage proxy settings) + Oracle Java 7)
>> (and some tests with java 6 (without dynamic keys)
> Thanks!
>
>> Test page: https://libcloud.apache.org/getting-started.html
> What domains/hosts did you preset?

Some tests with *.apache.org
Some tests with empty field (individual certs)
(and some tests with bad domains like *.*, *, *.co.ma, *.org, *.com : 
don't works (invalid domains)), and JMeter create/use individual certs)


>
>> * Firefox (Iceweasel) : OK
>> SSL warning is display, after accept, https elements are recording.
> If you load the certificate, there should be no need to accept?

Yes of course, after import the CA pubkey, no warning, but *all* https 
url are loaded (google, twitter) despite that I've set up HTTP Domains 
to *.apache.org?

The proxyserver.jks (name to change?) contains
Alias name: api.twitter.com
Alias name: *.apache.org
Alias name: ssl.google-analytics.com
Alias name: :root_ca:
Alias name: :intermediate_ca:

Normal?

(note, i've remove *.csr, *.usr, and proxyserver.jks before each test)

(and the files .csr and .usr are only create with Java 7 - perhaps need 
a info line in jmeter.log?)

>
>> (but: 2 or 3 samples with
>> javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
>>      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
>>      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
>>      at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
>>      at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1004)
>>      at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:820)
>>      at
>> com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
>>      at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
>>      at java.io.BufferedInputStream.read(BufferedInputStream.java:237)
>>      at
>> org.apache.jmeter.protocol.http.proxy.HttpRequestHdr.parse(HttpRequestHdr.java:117)
>>      at org.apache.jmeter.protocol.http.proxy.Proxy.run(Proxy.java:195)
>> in view Results Tree (under Proxy recorder)
> I think that could be a timing issue.
> I've sometimes seen this the first time a host is accessed.
> It can take several seconds to create the certificate; this seems to
> cause problems for some requests.
> If you retry once the certificate has been created you may find it all works OK.

Yes all is ok after.

Milamber

>
>> * Chrome (proxy settings with network manager) : OK
>> SSL warning is display, after accept, https elements are recording.
> Again, there should be no warning.
>
>> * Epiphany (Web browser include with GNOME) : OK
>> Without warning message, all HTTPS urls are loaded (with the temporary
>> certs) (apache.org, twitter, google elements)
>>
>>
>> ==
>>
>> In the special case when it's a java 6 runtime env and the HTTPS domains
>> field is disabled, we should perhaps add some tool tip text in label/field
>> to help the user to understand why the field is disable. (I will make this)
> Good idea.
>
>> Milamber
>>
>>
>> Le 10/09/2013 01:52, sebb a ecrit :
>>
>>> Testing help still needed!
>>>
>>> On 6 September 2013 23:09, sebb <sebbaz@gmail.com> wrote:
>>>> The Proxy server can now record embedded resources when used on Java 7.
>>>>
>>>> It creates a CA and keystore as needed.
>>>>
>>>> More work is needed:
>>>> - creating certs is fairly slow, so it would help if these were set up
>>>> before the test started.
>>> This is now done in ProxyControl when the start button is pressed.
>>>
>>>> - the CA cert is not created until the first SSL request is received,
>>>> so the first browser request will fail. The certificate can then be
>>>> loaded and the recording restarted. This needs to be fixed
>>> This has been fixed as above; pressing Start creates the CA if necessary.
>>>
>>> The CA cert can now be installed before starting the recording.
>>>
>>>> - documentation
>>> That still needs to be done, but it would help to know whether the
>>> code works for others, not just on my system.
>>>
>>>> Initialising the keystore
>>>> ---------------------------------
>>>> Ideally the CA cert needs to be created before the test starts, so it
>>>> can be loaded into the browser. However not all recordings use SSL, so
>>>> it seems wasteful to create the keystore if it won't then be used.
>>>>
>>>> Also, creating additional host entries is quite slow, so it would be
>>>> useful to be able to specify these in advance.
>>>>
>>>> One possible approach would be to add a new field to the GUI (Global
>>>> Settings has room) where the user could list the hosts/domains they
>>>> intend to test. [This would also signal that SSL proxying is required]
>>>> When the Proxy is started, it could then create the keys if necessary.
>>>> This would also create the certificate ready for the browser to load.
>>> That has been implemented.
>>>
>>> Note that Start can now take a minute or two the first time it is used.
>>>
>>>> Domains would be indicated by a leading "*." - e.g. *.apache.org.
>>>> It would be easy to match a host against a domain.
>>>> This would get round the issue that converting from host to domain is
>>>> tricky to do programmatically (there are lots of special cases).
>>>> Whereas the user presumably has a pretty good idea what domains they
>>>> are testing.
>>> That has been implemented.
>>>
>>>> I hope to make a start on improving the code in a day or two; in the
>>>> meantime if there are any issues/suggestions please raise them here.
>>> Feedback needed on the latest version.
>>>
>>> Does it work OK for you?
>>> What does not work well?
>>> Are there any blockers (apart from docs) that mean it could not be
>>> used for the next release of JMeter?
>>>


Mime
View raw message