jmeter-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: SMTP Sampler and TLSv1.2/CipherSuites
Date Sun, 07 Jun 2015 13:24:23 GMT
Am 07.06.2015 um 15:16 schrieb sebb:
> On 7 June 2015 at 13:10, Felix Schumacher
> <felix.schumacher@internetallee.de> wrote:
>> Am 07.06.2015 um 11:12 schrieb Rainer Jung:
>>>
>>> Am 06.06.2015 um 17:59 schrieb Felix Schumacher:
>>>>
>>>> Hi all,
>>>>
>>>> to enable the SMPT Sampler to use a higher TLS version than TLSv1 it
>>>> seems to be necessary to change the SSLContext.getInstance call in
>>>> TrustAllSSLSocketFactory from "TLS" to "TLSv1.2".
>>>
>>>
>>> Any idea why? When I test java HTTP connectivity, then "TLS" is able to
>>> connect TLSv1.2 if the JVM is new enough end the server supports it. "TLS"
>>> in getInstance() is not very wel documented, but in general seems to support
>>> al TLS versions trying to use the newest one supported by both sides.
>>>
>>> There's also the possibility to set enabledProtocols() which does not
>>> support the string "TLS", but only the explicit protocol versions. But even
>>> without setting enabled protocols and just sticking to defaults,I can get a
>>> TLSv1.2 (HTTP) connection with Java 8 and e.g. a TLSv1 connection with Java
>>> 6, both creating the SSLContext via getInstance("TLS").
>>
>> I have done my tests using java 7. When I repeated them with java 8 (after I
>> wrote the text below), I got the same results, as you reported. So it seems
>> to be a problem with java 7 only.
>>
>>>
>>> Is there a public SMTP server which can be used to observe the problem you
>>> see?
>>
>> I have used a docker image (catatnight/postfix) with self signed certs.
>> Instead of running it directly, I started a shell with it:
>>
>> $ docker run -ti -p 587:587  -e maildomain=whatever.local -e
>> smtp_user=user:pwd -v "${PATH_TO_CERTS}":/etc/postfix/certs
>> catatnight/postfix /bin/bash
>>
>> Inside the new prompt I used the install.sh script from the docker image, so
>> that my keys get used and disabled every protocol except TLSv1.2:
>>
>> root@abc...:/# /opt/install.sh
>> # Some message about missing dkim keys (can be ignored)
>> root@abc...:/# postconf -e 'smtpd_tls_mandatory_protocols=TLSv1.2'
>> root@abc...:/# service postfix start
>> # Message that postfix started
>>
>> In another terminal I used openssl to connect to the server with TLSv1.2
>> (success) and TLSv1.2 (no success) using:
>>
>> $ openssl s_client -tls1_2 -starttls smtp -connect localhost:587
>> # ...
>> # ---
>> # 250 DSN
>> quit
>> $ openssl s_client -tls1_1 -starttls smtp -connect localhost:587
>> # ...
>> # ---
>> $
>>
>> With this setup and the getInstance("TLS") I got no connection, while
>> getInstance("TLSv1.2") gave me a connection.
>>
>> When I start the postfix server in its default configuration (every protocol
>> allowed except SSLv2), JMeter is able to make a connection, but will use
>> TLSv1 only.
>>
>> This test was done on ubuntu 14.04 LTS with OpenJDK 1.7.0_79. And after I
>> wrote this text I repeated the tests with Oracles java versions 1.7.0_80,
>> 1.8.0_45 and 1.9.0-ea-b66 where java 8 and 9 successfully created a
>> connection with getInstance("TLS") and java 7 did not.
>>
>> So it seems to be a problem with java 7 and getInstance("TLS") only.
>>
>> Should we still add a system property to influence the selection of the used
>> protocol?
>
> It won't do any harm, and might help some users, so I suggest we add
> the property.

Not that there's two knobs one can turn: the so called protocol used in 
getInstance() which can be a real protocol, but also the token "TLS", 
and the list or protocols passed to SSLSocket.enabledProtocols(). The 
interaction between the two is not well documented, but it might be 
better keeping protocol as TLS but explicitely enabling protocols via 
enabledProtocols. The supported protocols are available via 
getSupportedSSLParameters().getProtocols().

Regards,

Rainer


Mime
View raw message