jmeter-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George <bamboocha...@yahoo.de>
Subject Re: JMeter SMTP Sampler with (SSL/TLS) and TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Date Wed, 15 Jul 2015 09:17:33 GMT
Hello,
i have now the r1609478 running and have set up in the jmeter.properties to use TLSv1.2.But
this setting is only for "http"... and not for smtp. Anyway i set to be TLSv1.2
It's still not running. I put the Debug on an i see on my terminal: *** CelintHello, TLSv1In
JMeter logger panel i see: jmeter.protocol.smtp.sampler.protocol.SendMailCommand: User ssl/tls
protocols for mail: SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2But when i try to connect on port:
465 it's not working.
I also tried with a native mail client Thunderbird 31.4 which supports TLSv1.2.There it works
perfectly like a charm from the beginning on.
In my Serverlogs i see this: SSL-Tunnel established (TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 (128/128)Of
cource it's not the strong ciper: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 but with Thunderbird
its working with at least TLSv1.2.
Thus:My Server works perfectly and accept TLSv1.2 connections ONLY.If a client try to connect
with anything below TLSv1.2 then my server do not accept it. 
For testing purposes i can activate TLSv1.1 and TLSv1.0 and then JMeter is working too. 



Maybe some more info.If i use JMeter and the HTTP Sampler then i can do TLSv1.2 connections
with the strong cipher.But for this i need to put this: JMETER_OPTS="-Dhttps.cipherSuites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
in my jmeter.sh start script.
So: HTTP and TLSv1.2 and strong cipher = works with JMeterSMTP with TLSv1.2 = is (still) not
workingSMTP with TLSv1.2 and strong cipher = also not working


BrGeorge

 


     Felix Schumacher <felix.schumacher@internetallee.de> schrieb am 17:45 Mittwoch,
17.Juni 2015:
   

 

Am 9. Juni 2015 11:41:42 MESZ, schrieb George <bamboocha324@yahoo.de>:
>HI,
>ok i will get the nightly build and try it out.

Have you tried the nightly and did it help you? 

Regards,
Felix

>BrGeorge
> 
>
>
>Felix Schumacher <felix.schumacher@internetallee.de> schrieb am 19:31
>Montag, 8.Juni 2015:
>  
>
> Am 08.06.2015 um 15:12 schrieb George:
>> Hello Felix,
>>
>>
>>      Felix Schumacher <felix.schumacher@internetallee.de> schrieb am
>14:58 Sonntag, 7.Juni 2015:
>>    
>>
>>  Am 06.06.2015 um 17:54 schrieb Felix Schumacher:
>>> Hi George,
>>>
>>> Am 03.06.2015 um 12:11 schrieb George:
>>>> Hello,
>>>> yes my server can do tls 1.2 perfectly and also with the above
>>>> (strong) cipher.I did some more tests where i modify step by step
>my
>>>> server configuration until it works and here are my results.
>>>> Test 1:My server allows ONLY tls 1.2 and ONLY the cipher
>>>> ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
>>>> Test 2:My server allows ONLY tls 1.2 and ANY cipher
>>>> Test 3:My server allows tls 1.2 and tls 1.1 and ANY cipher
>>>> Test 4:My server allows tls 1.2 and tls 1.1 and tls 1.0 and ANY
>cipher
>>>>
>>>> My jmeter.properties is set to do tls1.2 only - but the SSL
>>>> configuration is only for the http protocol and not for
>smtp(s).Thus
>>>> i think this does not care.I have java jre 1.8 latest plus the
>oracle
>>>> security "Unlimited Strength Java Cryptography Extension Policy
>>>> Files" pakage.
>>>> My jmeter test plan is very easy.
>>>> One thread one smtp sampler and one "view results in tree".The SMTP
>>>> Sampler target my mail server on port "465" and the checkbox "use
>>>> ssl" is enabled and the hook "Trust all certificates" is enabled
>>>> too.There is one Subject: hello and Email body: hello. Simple
>>>> Results:Test 1: Fail - no ssl handshakeTest 2: Fail - no ssl
>>>> handshakeTest 3: Fail - no ssl handshakeTest 4: Success: Perfectly
>>>> SSL Handshake. SSL Connection established using "TLSv1
>>>> ECDHE-ECDSA-AES256-SHA" (no client certificate checkup <- means no
>>>> mutual ssl)
>>>> OK thus it works.I can sent an email with jmeter SMTP sampler using
>>>> (direct) ssl on port 465 - but it only works if i activate tls1.0.
>>>> I do not found any jmeter configuration about "smtps".
>>>>
>>>> I did some further tests wirh thunderbird 31.4 (on a linux).Here
>the
>>>> results.Test 1: Fails - no ssl connectionTest 2, 3 and 4: Success.
>>>> Looking on the thunderbird settings its strange but the cipher i
>want
>>>> to use is not available. Thus i can do tls1.2 but not with my
>>>> "strong" cipher.
>>>> Br.George
>>> I have added a few println's in TrustAllSSLSocketFactory and found,
>>> that I have to change the line where the sslcontext is created first
>>> by calling SSLContext.getInstance("TLS").
>>>
>>> When you change that occurence of TLS to TLSv1.2 you should get a
>>> TLSv1.2 connection with a string cipher suite.
>>>
>>> This default setting should probably be configurable as the used
>>> cipher suites.
>>> After a bit more research, the behaviour seems to be different
>between
>>> java 7 and java 8. In my tests java 8 was able to do a TLSv1.2
>connect
>>> with getInstance("TLS"), while java 7 was not.
>>> Can you double check, that you are using java 8?
>> yes i'm using java 8. java -version gives me: java version
>"1.8.0_20".
>> It's not the newest java 8 but it is java 8 for sure.
>> I'm not sure what you mean about "SSLContext.getInstance("TLS") and
>where to change it to "TLSv1.2" ?
>You could have changed it inside the source code of the class. But
>don't 
>bother with it anymore.
>> I did some debugging test and have activated the jmeter properites to
>"DEBUG" (log level) and i also put the debug on in the
>system.properties for ssl (all).When i configure my server to accept
>TLSv1.0, TLSv1.1 and TLSv1.2 then jmeter ssl works and i see the
>following:
>> trigger seeding of SecureRandomdone seeding
>SecureRandom***ClientHello, TLSv1***ServerHello, TLSv1%% Initialized:
>[Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]**
>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA*** Certificate chain*** ECDH
>ServerKeyExchange*** ServerHelloDone***ECDHClientKeyExchange.....
>> Now i change my server to only allow TLSv1.2 and then i see this:
>> *** ClientHello, TLSv1
>> and then broken pipe and "SEND TLSv1.2 ALERT: fatal, description =
>handshare_failure
>> The same error if i turn on TLSv1.1.
>>
>> Well i do not know how to tun on TLSv1.2 for SMTP in Jmeter?
>> There are some configuration properties for http(s) and this works
>perfectly with TLSv1.2But not for SMTP.
>
>I have filed a bug request 
>(https://bz.apache.org/bugzilla/show_bug.cgi?id=58013) and submitted a
>fix.
>
>Could you try it out?
>
>The next nightly should have the fix, or you can build jmeter yourself 
>from source.
>
>Regards
>  Felix
>> BrGeorge
>>
>>
>>
>>> Regards
>>    > Felix
>>> Regards
>>>    Felix
>>>
>>>>
>>>>
>>>>        Felix Schumacher <felix.schumacher@internetallee.de> schrieb
>am
>>>> 10:29 Montag, 1.Juni 2015:
>>>>
>>>>    Am 29.05.2015 um 13:16 schrieb George:
>>>>> Hello,
>>>>> i try to sent a "hello" email using SMTP Sampler and want to use
>>>>> SSL/TLS on standard port 465 for this connection.More i want to
>use
>>>>> TLSv1.2 with the very strong cipher
>>>>> "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"Currently the handshake
>fail.
>>>>> Technially if i change the configuration on my server to also
>accept
>>>>> TLSv1.1 and v1.0 then the SSL connection works and the email is
>sent
>>>>> perfectly.I see in the logs that the client (jmeter) and my server
>>>>> aggreed on a cipher comming from TLS1.0.Thus in general SSL is
>>>>> working but not with TLSv1.2.
>>>>> Anyone any idea how i can use SMTP(s) with TLSv1.2 and the above
>>>>> cipher?I tried to put this in my jmeter.sh file but seems it does
>>>>> not matter?
>>>>>
>JMETER_OPTS="-Dhttps.cipherSuites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
>>>>>
>>>> The smtp sampler has no option to specify the wanted ciphersuites,
>so
>>>> the option given above will not be used.
>>>>> I also installed lates java jdk and i also installed the
>additional
>>>>> strong security pakage and replaced the .jar files in
>>>>> /usr/java/jre.../lib/security
>>>> Which jdk did you install exactly?
>>>>
>>>> Have you checked (with openssl or something similar), that your
>>>> mailserver is capable of TLSv1.2?
>>>>
>>>> Regards
>>>>      Felix
>>>>> BrGeorge
>>>>>
>>>>>
>>>>
>---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: user-unsubscribe@jmeter.apache.org
>>>> For additional commands, e-mail: user-help@jmeter.apache.org
>>>>
>>>>
>>>>
>>>
>>>
>---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@jmeter.apache.org
>>> For additional commands, e-mail: user-help@jmeter.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@jmeter.apache.org
>> For additional commands, e-mail: user-help@jmeter.apache.org
>>
>>
>>
>>    
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@jmeter.apache.org
>For additional commands, e-mail: user-help@jmeter.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@jmeter.apache.org
For additional commands, e-mail: user-help@jmeter.apache.org



  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message