You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jmeter.apache.org by Levi Stamper <le...@yahoo.com> on 2002/02/05 01:01:27 UTC
trouble with cert-based authentication
I'm having trouble getting certificate-based user auth
to work with jmeter.
1) JSSE is installed, and appears to function properly
(ver 1.02)
2) keys are in a pkcs12 file, and have a (>6)
character passphrase
I'm trying to hit an apache+modssl web server
(confirmed working with browser). Here's what apache
says:
attempting to aim jmeter at mod_ssl apache server:
apache ssl_engine_log:
[30/Jan/2002 00:09:31 01613] [info] Connection to
child 5 established (server
drake1.netopsgroup.com:443, client 192.168.1.15)
[30/Jan/2002 00:09:31 01613] [info] Seeding PRNG with
1160 bytes of entropy
[30/Jan/2002 00:09:33 01613] [error] SSL handshake
failed (server drake1.netopsgroup.com:443, client
192.168.1.15) (OpenSSL library error follows)
[30/Jan/2002 00:09:33 01613] [error] OpenSSL:
error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate [Hint: No CAs known to server for
verification?]
apache error_log:
[Wed Jan 30 00:14:04 2002] [error] mod_ssl: SSL
handshake failed (server drake1.netopsgroup.com:443,
client 192.168.1.15) (OpenSSL library error follows)
[Wed Jan 30 00:14:04 2002] [error] OpenSSL:
error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate [Hint: No CAs known to server for
verification?]
apache access_log:
<nothing of interest>
Here's what jmeter is logging on (stderr?) during all
of this:
jmeter output (tail end of it):
Server write key:
0000: 98 0C 8D 00 B2 E9 5C 19 F4 2F CC 2F A7 0E 1A
FD ......\.././....
... no IV for cipher
Thread-1, WRITE: SSL v3.1 Change Cipher Spec, length
= 1
*** Finished, v3.1
verify_data: { 232, 248, 93, 191, 6, 2, 82, 176, 4,
167, 168, 147 }
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C E8 F8 5D BF 06 02 52 B0 04 A7 A8
93 ......]...R.....
Plaintext before ENCRYPTION: len = 36
0000: 14 00 00 0C E8 F8 5D BF 06 02 52 B0 04 A7 A8
93 ......]...R.....
0010: 82 DB A9 06 0D F3 12 96 62 1A D0 06 8D DF 32
DD ........b.....2.
0020: CA 4C D0 70
.L.p
Thread-1, WRITE: SSL v3.1 Handshake, length = 36
java.io.IOException: Broken pipe
at java.net.SocketOutputStream.socketWrite(Native
Method)
at
java.net.SocketOutputStream.write(SocketOutputStream.java:83)
at
com.sun.net.ssl.internal.ssl.OutputRecord.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.e([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:61)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
at
org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSampler.java:437)
at
org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSampler.java:164)
at
org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:275)
at java.lang.Thread.run(Thread.java:484)
-----------------------
I really hope it's something stupid that I'm
missing...please help if you can.
Regards,
LS
__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions!
http://auctions.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: trouble with cert-based authentication
Posted by Berin Loritsch <bl...@apache.org>.
Levi Stamper wrote:
> I'm having trouble getting certificate-based user auth
> to work with jmeter.
Since I wrote that, I will try to help you. If the site is
simple, Cert-based testing works. I have found some instances
where no matter what I do, I can't get JMeter to authenticate.
That said, I want to check a few things:
1) Is the server CA certificate installed where JMeter can
see it? Typically I add it to a jssecacerts keystore
stored in ${java.home}/jre/lib/security/jssecacerts.
2) It could be the PKCS12 file is not formatted in a way
that JSSE likes. Try importing it to Netscape, and
re-exporting it again. This way Netscape formats it
in a way that JSSE likes.
3) It could be that JSSE does not like the CA certificate.
I have run into issues where one of the attributes on
the Server Cert chain or the PKCS12 file will cause
authentication negotiations to fail.
Do work through the suggestions on the Sun site:
http://java.sun.com/products/jsse/doc/guide/API_users_guide.html#Troubleshooting
It will help you if you enable the following option when you
run Certificate based authentication:
-Djavax.net.debug=all
You will see 20-30 pages of information that covers all aspects of
the authentication negotiation. Many times it will give you a better
view of why it is not working.
>
> 1) JSSE is installed, and appears to function properly
> (ver 1.02)
> 2) keys are in a pkcs12 file, and have a (>6)
> character passphrase
>
>
> I'm trying to hit an apache+modssl web server
> (confirmed working with browser). Here's what apache
> says:
>
> attempting to aim jmeter at mod_ssl apache server:
>
> apache ssl_engine_log:
>
>
> [30/Jan/2002 00:09:31 01613] [info] Connection to
> child 5 established (server
> drake1.netopsgroup.com:443, client 192.168.1.15)
> [30/Jan/2002 00:09:31 01613] [info] Seeding PRNG with
> 1160 bytes of entropy
> [30/Jan/2002 00:09:33 01613] [error] SSL handshake
> failed (server drake1.netopsgroup.com:443, client
> 192.168.1.15) (OpenSSL library error follows)
> [30/Jan/2002 00:09:33 01613] [error] OpenSSL:
> error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
> return a certificate [Hint: No CAs known to server for
> verification?]
>
>
>
> apache error_log:
>
> [Wed Jan 30 00:14:04 2002] [error] mod_ssl: SSL
> handshake failed (server drake1.netopsgroup.com:443,
> client 192.168.1.15) (OpenSSL library error follows)
> [Wed Jan 30 00:14:04 2002] [error] OpenSSL:
> error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
> return a certificate [Hint: No CAs known to server for
> verification?]
>
>
> apache access_log:
>
> <nothing of interest>
>
>
>
>
> Here's what jmeter is logging on (stderr?) during all
> of this:
>
> jmeter output (tail end of it):
>
> Server write key:
> 0000: 98 0C 8D 00 B2 E9 5C 19 F4 2F CC 2F A7 0E 1A
> FD ......\.././....
> ... no IV for cipher
> Thread-1, WRITE: SSL v3.1 Change Cipher Spec, length
> = 1
> *** Finished, v3.1
> verify_data: { 232, 248, 93, 191, 6, 2, 82, 176, 4,
> 167, 168, 147 }
> ***
> [write] MD5 and SHA1 hashes: len = 16
> 0000: 14 00 00 0C E8 F8 5D BF 06 02 52 B0 04 A7 A8
> 93 ......]...R.....
> Plaintext before ENCRYPTION: len = 36
> 0000: 14 00 00 0C E8 F8 5D BF 06 02 52 B0 04 A7 A8
> 93 ......]...R.....
> 0010: 82 DB A9 06 0D F3 12 96 62 1A D0 06 8D DF 32
> DD ........b.....2.
> 0020: CA 4C D0 70
> .L.p
> Thread-1, WRITE: SSL v3.1 Handshake, length = 36
> java.io.IOException: Broken pipe
> at java.net.SocketOutputStream.socketWrite(Native
> Method)
> at
> java.net.SocketOutputStream.write(SocketOutputStream.java:83)
> at
> com.sun.net.ssl.internal.ssl.OutputRecord.a([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.e([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
> at java.io.OutputStream.write(OutputStream.java:61)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
> at
> org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSampler.java:437)
> at
> org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSampler.java:164)
> at
> org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:275)
> at java.lang.Thread.run(Thread.java:484)
>
>
>
>
> -----------------------
>
> I really hope it's something stupid that I'm
> missing...please help if you can.
>
> Regards,
>
> LS
>
>
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Great stuff seeking new owners in Yahoo! Auctions!
> http://auctions.yahoo.com
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
> .
>
>
--
"They that give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety."
- Benjamin Franklin
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>