jmeter-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 62863] PKCS11 keystores are unusable for TLS
Date Mon, 29 Oct 2018 17:43:06 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=62863

--- Comment #2 from clifford.harms@gmail.com ---
Created attachment 36221
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36221&action=edit
jmeter pkcs11 patch

The attached patch successfully passes tests with the exception of some tests
that were failing before the patch was applied in my environment (unable to
resolve jmeter.org etc.).  Patch also passes checkstyle as required in
submission guidelines.

What the patch does:
- Removes the assumption of a file based keystore
- Adds password masking for the SSLManager password prompt. I included this
because it is likely that if the use of a PKCS11 crypto module is required to
load test/test, a plain text password prompt is likely to be unacceptable.  

The use of PKCS11 requires configuring the JVM running jmeter as described in
https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html

The patch was tested against a PKCS11 configured JVM on Red Hat Enterprise
Linux 7 using the libcoolkey pkcs11 smart card driver in conjunction with a
smart card.

Note that the PKCS11 module password/pin must be configured via JSSE system
properties if running in non-gui mode.  It should be possible to implement a
command line prompt when running outside of the GUI mode, but I haven't had
time to explore this yet.

-- 
You are receiving this mail because:
You are the assignee for the bug.
Mime
View raw message