Discussion:
Can JMeter ignore SSL certificate expiry?
Sonam Chauhan
2006-04-07 07:57:10 UTC
Permalink
Hello -

Can JMeter 2.2.1's SSL engine be set to ignore expired SSL certs?

When JMeter 2.2.1 makes SSL requests to a webserver with an expired SSL
certificates, all SSL connection attempts fail with a Java
CertificateExpiredException (see below). Having an unexpired SSL
certificate on the server fixes the problem. But, we use expired certs
on our internal test servers -- hence this question.

The SSL provider in JMeter properties is set to the default (see below).

Note: JMeter 1.9.1 showed different (and anomalous) behavior dealing
with the same expired certificates -- it gave out a misleading error and
only the first SSL connection would fail. See Bugzilla bug # 25505 I
filed in 2004: http://issues.apache.org/bugzilla/show_bug.cgi?id=25505

The error message in JMeter 2.2.1 is now accurate, and all HTTPS
connections (not just the first) fail consistently. So you may want to
close the 1.9.1 bug as WONTFIX?

Sincerely,
Sonam Chauhan
--
Corporate Express Australia Ltd.
Phone: +61-2-9335-0725, Email: ***@ce.com.au


FROM JMETER PROPERTIES
========================
#Classname of the ssl provider to be used (to enable testing of https
urls)
#And the package name where Stream Handlers can be found
#These provided defaults can be uncommented, and they will work if you
are using
#Sun's JSSE implementation.

ssl.provider=com.sun.net.ssl.internal.ssl.Provider
#ssl.provider=iaik.security.jsse.provider.IAIKJSSEProvider
ssl.pkgs=com.sun.net.ssl.internal.www.protocol



EXCEPTION MESSAGE
==================
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateExpiredException: NotAfter: Sat Nov 12
10:22:14 EST 2005
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Da
shoA6275)
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.co
nnect(DashoA6275)
at
org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSampler.j
ava:424)
at
org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSampl
erBase.java:514)
at
org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSampl
erBase.java:503)
at
org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:247)
at java.lang.Thread.run(Thread.java:534)
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Sat
Nov 12 10:22:14 EST 2005
at
sun.security.x509.CertificateValidity.valid(CertificateValidity.java:268
)
at
sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:564)
at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.ja
va:123)
at sun.security.validator.Validator.validate(Validator.java:202)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Das
hoA6275)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Das
hoA6275)
... 14 more
sebb
2006-04-07 12:43:16 UTC
Permalink
Post by Sonam Chauhan
Hello -
Can JMeter 2.2.1's SSL engine be set to ignore expired SSL certs?
JMeter only uses the facilities provided by JSSE.

Perhaps there is a property one can set? Might be worth checking the
Sun Java web-site.

If you do find anything (or anyone else knows) please let us know, and
it can be added to the documentation.
Post by Sonam Chauhan
When JMeter 2.2.1 makes SSL requests to a webserver with an expired SSL
certificates, all SSL connection attempts fail with a Java
CertificateExpiredException (see below). Having an unexpired SSL
certificate on the server fixes the problem. But, we use expired certs
on our internal test servers -- hence this question.
The SSL provider in JMeter properties is set to the default (see below).
Note: JMeter 1.9.1 showed different (and anomalous) behavior dealing
with the same expired certificates -- it gave out a misleading error and
only the first SSL connection would fail. See Bugzilla bug # 25505 I
filed in 2004: http://issues.apache.org/bugzilla/show_bug.cgi?id=25505
The error message in JMeter 2.2.1 is now accurate, and all HTTPS
connections (not just the first) fail consistently. So you may want to
close the 1.9.1 bug as WONTFIX?
Thanks!
Post by Sonam Chauhan
Sincerely,
Sonam Chauhan
--
Corporate Express Australia Ltd.
FROM JMETER PROPERTIES
========================
#Classname of the ssl provider to be used (to enable testing of https
urls)
#And the package name where Stream Handlers can be found
#These provided defaults can be uncommented, and they will work if you
are using
#Sun's JSSE implementation.
ssl.provider=com.sun.net.ssl.internal.ssl.Provider
#ssl.provider=iaik.security.jsse.provider.IAIKJSSEProvider
ssl.pkgs=com.sun.net.ssl.internal.www.protocol
EXCEPTION MESSAGE
==================
java.security.cert.CertificateExpiredException: NotAfter: Sat Nov 12
10:22:14 EST 2005
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Da
shoA6275)
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.co
nnect(DashoA6275)
at
org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSampler.j
ava:424)
at
org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSampl
erBase.java:514)
at
org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSampl
erBase.java:503)
at
org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:247)
at java.lang.Thread.run(Thread.java:534)
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Sat
Nov 12 10:22:14 EST 2005
at
sun.security.x509.CertificateValidity.valid(CertificateValidity.java:268
)
at
sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:564)
at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.ja
va:123)
at sun.security.validator.Validator.validate(Validator.java:202)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Das
hoA6275)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Das
hoA6275)
... 14 more
---------------------------------------------------------------------
Sonam Chauhan
2006-04-10 03:00:08 UTC
Permalink
Post by sebb
Post by Sonam Chauhan
Can JMeter 2.2.1's SSL engine be set to ignore expired SSL certs?
When JMeter 2.2.1 makes SSL requests to a webserver with an expired
SSL
Post by sebb
Post by Sonam Chauhan
certificates, all SSL connection attempts fail with a Java
CertificateExpiredException (see below). Having an unexpired SSL
certificate on the server fixes the problem. But, we use expired
certs
Post by sebb
Post by Sonam Chauhan
on our internal test servers -- hence this question.
JMeter only uses the facilities provided by JSSE.
Perhaps there is a property one can set? Might be worth checking the
Sun Java web-site.
Thanks Sebb.

I had a look at the Sun site, especially at this "Default Policy
Implementation and Policy File Syntax" document -- no clues there:

http://java.sun.com/j2se/1.4.2/docs/guide/security/PolicyFiles.html
Post by sebb
If you do find anything (or anyone else knows) please let us know, and
it can be added to the documentation.
I think there isn't an easy property one can set... otherwise Sun
certificate expiry notifications like this would list that as a
workaround?
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57436-1




Is there a way to bypass the CertificateExpiredException in JMeter? (eg:
trap the exception, and... umm,ah).

This is a very handy option to have: another Java app (webMethods) we
use has a config option to ignore cert expiry, but it doesn't use JSSE.

Should I create a Bugzilla entry?


Sonam
sebb
2006-04-10 13:17:07 UTC
Permalink
Post by Sonam Chauhan
Post by sebb
Post by Sonam Chauhan
Can JMeter 2.2.1's SSL engine be set to ignore expired SSL certs?
When JMeter 2.2.1 makes SSL requests to a webserver with an expired
SSL
Post by sebb
Post by Sonam Chauhan
certificates, all SSL connection attempts fail with a Java
CertificateExpiredException (see below). Having an unexpired SSL
certificate on the server fixes the problem. But, we use expired
certs
Post by sebb
Post by Sonam Chauhan
on our internal test servers -- hence this question.
JMeter only uses the facilities provided by JSSE.
Perhaps there is a property one can set? Might be worth checking the
Sun Java web-site.
Thanks Sebb.
I had a look at the Sun site, especially at this "Default Policy
http://java.sun.com/j2se/1.4.2/docs/guide/security/PolicyFiles.html
Post by sebb
If you do find anything (or anyone else knows) please let us know, and
it can be added to the documentation.
I think there isn't an easy property one can set... otherwise Sun
certificate expiry notifications like this would list that as a
workaround?
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57436-1
trap the exception, and... umm,ah).
This is a very handy option to have: another Java app (webMethods) we
use has a config option to ignore cert expiry, but it doesn't use JSSE.
Should I create a Bugzilla entry?
Yes, good idea, easier to keep track of.
Post by Sonam Chauhan
Sonam
---------------------------------------------------------------------
Loading...