jmeter-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Berin Loritsch <blorit...@apache.org>
Subject Re: trouble with cert-based authentication
Date Tue, 05 Feb 2002 14:12:03 GMT
Levi Stamper wrote:

> I'm having trouble getting certificate-based user auth
> to work with jmeter.


Since I wrote that, I will try to help you.  If the site is
simple, Cert-based testing works.  I have found some instances
where no matter what I do, I can't get JMeter to authenticate.

That said, I want to check a few things:

1) Is the server CA certificate installed where JMeter can
    see it?  Typically I add it to a jssecacerts keystore
    stored in ${java.home}/jre/lib/security/jssecacerts.

2) It could be the PKCS12 file is not formatted in a way
    that JSSE likes.  Try importing it to Netscape, and
    re-exporting it again.  This way Netscape formats it
    in a way that JSSE likes.

3) It could be that JSSE does not like the CA certificate.
    I have run into issues where one of the attributes on
    the Server Cert chain or the PKCS12 file will cause
    authentication negotiations to fail.

Do work through the suggestions on the Sun site:

http://java.sun.com/products/jsse/doc/guide/API_users_guide.html#Troubleshooting


It will help you if you enable the following option when you
run Certificate based authentication:

-Djavax.net.debug=all

You will see 20-30 pages of information that covers all aspects of
the authentication negotiation.  Many times it will give you a better
view of why it is not working.


> 
> 1) JSSE is installed, and appears to function properly
> (ver 1.02)
> 2) keys are in a pkcs12 file, and have a (>6)
> character passphrase
> 
> 
> I'm trying to hit an apache+modssl web server
> (confirmed working with browser).  Here's what apache
> says:
> 
> attempting to aim jmeter at mod_ssl apache server:
> 
> apache ssl_engine_log:
> 
> 
> [30/Jan/2002 00:09:31 01613] [info]  Connection to
> child 5 established (server
> drake1.netopsgroup.com:443, client 192.168.1.15)
> [30/Jan/2002 00:09:31 01613] [info]  Seeding PRNG with
> 1160 bytes of entropy
> [30/Jan/2002 00:09:33 01613] [error] SSL handshake
> failed (server drake1.netopsgroup.com:443, client
> 192.168.1.15) (OpenSSL library error follows)
> [30/Jan/2002 00:09:33 01613] [error] OpenSSL:
> error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
> return a certificate [Hint: No CAs known to server for
> verification?]
> 
> 
> 
> apache error_log:
> 
> [Wed Jan 30 00:14:04 2002] [error] mod_ssl: SSL
> handshake failed (server drake1.netopsgroup.com:443,
> client 192.168.1.15) (OpenSSL library error follows)
> [Wed Jan 30 00:14:04 2002] [error] OpenSSL:
> error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
> return a certificate [Hint: No CAs known to server for
> verification?]
> 
> 
> apache access_log:
> 
> <nothing of interest>
> 
> 
> 
> 
> Here's what jmeter is logging on  (stderr?) during all
> of this:
> 
> jmeter output (tail end of it):
> 
> Server write key:
> 0000: 98 0C 8D 00 B2 E9 5C 19   F4 2F CC 2F A7 0E 1A
> FD  ......\.././....
> ... no IV for cipher
> Thread-1, WRITE:  SSL v3.1 Change Cipher Spec, length
> = 1
> *** Finished, v3.1
> verify_data:  { 232, 248, 93, 191, 6, 2, 82, 176, 4,
> 167, 168, 147 }
> ***
> [write] MD5 and SHA1 hashes:  len = 16
> 0000: 14 00 00 0C E8 F8 5D BF   06 02 52 B0 04 A7 A8
> 93  ......]...R.....
> Plaintext before ENCRYPTION:  len = 36
> 0000: 14 00 00 0C E8 F8 5D BF   06 02 52 B0 04 A7 A8
> 93  ......]...R.....
> 0010: 82 DB A9 06 0D F3 12 96   62 1A D0 06 8D DF 32
> DD  ........b.....2.
> 0020: CA 4C D0 70                                     
>   .L.p
> Thread-1, WRITE:  SSL v3.1 Handshake, length = 36
> java.io.IOException: Broken pipe
> 	at java.net.SocketOutputStream.socketWrite(Native
> Method)
> 	at
> java.net.SocketOutputStream.write(SocketOutputStream.java:83)
> 	at
> com.sun.net.ssl.internal.ssl.OutputRecord.a([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.e([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
> 	at java.io.OutputStream.write(OutputStream.java:61)
> 	at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
> 	at
> com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
> at
> org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSampler.java:437)
> 	at
> org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSampler.java:164)
> 	at
> org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:275)
> 	at java.lang.Thread.run(Thread.java:484)
> 
> 
> 
> 
> -----------------------
> 
> I really hope it's something stupid that I'm
> missing...please help if you can.
> 
> Regards,
> 
> LS
> 
> 
> 
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Great stuff seeking new owners in Yahoo! Auctions! 
> http://auctions.yahoo.com
> 
> --
> To unsubscribe, e-mail:   <mailto:jmeter-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:jmeter-user-help@jakarta.apache.org>
> 
> .
> 
> 



-- 

"They that give up essential liberty to obtain a little temporary safety
  deserve neither liberty nor safety."
                 - Benjamin Franklin


--
To unsubscribe, e-mail:   <mailto:jmeter-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jmeter-user-help@jakarta.apache.org>


Mime
View raw message