For the next release

[Milamber <mi...@apache.org>]

Hello,

For the next release, I propose:

a) Since JMeter 2.4 and the capabilities to record HTTPS request by 
JMeter proxy, I propose to remove the options "Attempt HTTPS Spoofing" 
and "Only spoof URLS matching" on the HTTP Proxy Server element.

b1) renew the JMeter self-certificat (current expire date is 2014-08-04, 
to a long period (20 years)
b2) Extract from the file proxyserver.jks the public (fake) key Apache 
JMeter to a PEM format, in a file "proxyserver.pem".
b3) Add some sentences in the proxy documentation to invite the user to 
add this public key as  a trusted CA in their browser or OS's certificat 
manager to permit the recording of a https session with JMeter proxy 
(and remove it at the end of record). (or Accept temporary the 
certificate from the browser)

c) Make HTTPClient 3.1 to the default HTTP Request (and Proxy generated 
request)

If you are OK, I can make the changes for this points.

Thanks in advance for your feedback or your agree.

Milamber

Re: For the next release

[Philippe Mouawad <ph...@gmail.com>]

Oups, hello milamber :)

On Saturday, August 25, 2012, Philippe Mouawad wrote:

> Hello sebb,
> I agree with all your propositions, it's true we always have these kind of
> questions in user list.
>  But maybe we should test that a) does not break existing test plan that
> may have saved proxy under testfragment (hack but possible)
> Regards
> Philippe
>
> On Saturday, August 25, 2012, Milamber wrote:
>
>> Hello,
>>
>> For the next release, I propose:
>>
>> a) Since JMeter 2.4 and the capabilities to record HTTPS request by
>> JMeter proxy, I propose to remove the options "Attempt HTTPS Spoofing" and
>> "Only spoof URLS matching" on the HTTP Proxy Server element.
>>
>> b1) renew the JMeter self-certificat (current expire date is 2014-08-04,
>> to a long period (20 years)
>> b2) Extract from the file proxyserver.jks the public (fake) key Apache
>> JMeter to a PEM format, in a file "proxyserver.pem".
>> b3) Add some sentences in the proxy documentation to invite the user to
>> add this public key as  a trusted CA in their browser or OS's certificat
>> manager to permit the recording of a https session with JMeter proxy (and
>> remove it at the end of record). (or Accept temporary the certificate from
>> the browser)
>>
>> c) Make HTTPClient 3.1 to the default HTTP Request (and Proxy generated
>> request)
>>
>> If you are OK, I can make the changes for this points.
>>
>> Thanks in advance for your feedback or your agree.
>>
>> Milamber
>>
>
>
> --
> Cordialement.
> Philippe Mouawad.
>
>
>
>

-- 
Cordialement.
Philippe Mouawad.

Re: For the next release

[Philippe Mouawad <ph...@gmail.com>]

Hello sebb,
I agree with all your propositions, it's true we always have these kind of
questions in user list.
 But maybe we should test that a) does not break existing test plan that
may have saved proxy under testfragment (hack but possible)
Regards
Philippe

On Saturday, August 25, 2012, Milamber wrote:

> Hello,
>
> For the next release, I propose:
>
> a) Since JMeter 2.4 and the capabilities to record HTTPS request by JMeter
> proxy, I propose to remove the options "Attempt HTTPS Spoofing" and "Only
> spoof URLS matching" on the HTTP Proxy Server element.
>
> b1) renew the JMeter self-certificat (current expire date is 2014-08-04,
> to a long period (20 years)
> b2) Extract from the file proxyserver.jks the public (fake) key Apache
> JMeter to a PEM format, in a file "proxyserver.pem".
> b3) Add some sentences in the proxy documentation to invite the user to
> add this public key as  a trusted CA in their browser or OS's certificat
> manager to permit the recording of a https session with JMeter proxy (and
> remove it at the end of record). (or Accept temporary the certificate from
> the browser)
>
> c) Make HTTPClient 3.1 to the default HTTP Request (and Proxy generated
> request)
>
> If you are OK, I can make the changes for this points.
>
> Thanks in advance for your feedback or your agree.
>
> Milamber
>


-- 
Cordialement.
Philippe Mouawad.

Re: For the next release

[Milamber <mi...@apache.org>]

Le 28/08/2012 20:33, Oleg Kalnichevski a ecrit :
> On Tue, 2012-08-28 at 15:26 +0100, sebb wrote:
>> On 25 August 2012 15:22, Milamber<mi...@apache.org>  wrote:
> ...
>
>>> c) Make HTTPClient 3.1 to the default HTTP Request (and Proxy generated
>>> request)
>> Why not default to HC4 ?
>>
>> HC3.1 is end-of-line and won't be developed further.
>>
>> If we don't feel we are ready to make HC4 the default, I think it
>> should be left unchanged.
>>
> I can't think of any reason at this point why one should continue using
> HC 3.1 instead of HC 4.2. Let HC 3.1 finally rest in peace.

Done. Now (and for the next release 2.8) HC 4 is the default http 
implementation in Apache JMeter.

Milamber

>
> Oleg
>
>
>

Re: For the next release

[Oleg Kalnichevski <ol...@apache.org>]

On Tue, 2012-08-28 at 15:26 +0100, sebb wrote:
> On 25 August 2012 15:22, Milamber <mi...@apache.org> wrote:

...

> > c) Make HTTPClient 3.1 to the default HTTP Request (and Proxy generated
> > request)
> 
> Why not default to HC4 ?
> 
> HC3.1 is end-of-line and won't be developed further.
> 
> If we don't feel we are ready to make HC4 the default, I think it
> should be left unchanged.
> 

I can't think of any reason at this point why one should continue using
HC 3.1 instead of HC 4.2. Let HC 3.1 finally rest in peace.

Oleg

Re: For the next release

[Milamber <mi...@apache.org>]

Le 28/08/2012 15:26, sebb a ecrit :
> On 25 August 2012 15:22, Milamber<mi...@apache.org>  wrote:
>> Hello,
>>
>> For the next release, I propose:
>>
>> a) Since JMeter 2.4 and the capabilities to record HTTPS request by JMeter
>> proxy, I propose to remove the options "Attempt HTTPS Spoofing" and "Only
>> spoof URLS matching" on the HTTP Proxy Server element.
> OK.
>
>> b1) renew the JMeter self-certificat (current expire date is 2014-08-04, to
>> a long period (20 years)
> Not so sure about that; it was deliberately chosen to expire so it
> could not be forgotten.

Ok no changes

>
>> b2) Extract from the file proxyserver.jks the public (fake) key Apache
>> JMeter to a PEM format, in a file "proxyserver.pem".
> OK
>
>> b3) Add some sentences in the proxy documentation to invite the user to add
>> this public key as  a trusted CA in their browser or OS's certificat manager
>> to permit the recording of a https session with JMeter proxy (and remove it
>> at the end of record).
> I think that is a bad idea.
> The fake key should never be added as trusted.
> Far too easy for it to be accidentally left enabled.

In fact, even if we add the fake JMeter public key, in your trusted CA, 
we have a warning because they have a mismatching between the site name 
and common name of certificate.

Thus, the points b2 and b3 are no longer necessary.

>
>> (or Accept temporary the certificate from the browser)
> OK.
>
>> c) Make HTTPClient 3.1 to the default HTTP Request (and Proxy generated
>> request)
> Why not default to HC4 ?

To a progressive transition.
But I agree to make the HC4 the default (http request and cookie impl 
too). If everybody are ok?

>
> HC3.1 is end-of-line and won't be developed further.

Perhaps, in 2-3 JMeter versions (for example the next major X.0 version, 
we can remove Java and HC3 impl (request/cookie), to focus on HC4)

>
> If we don't feel we are ready to make HC4 the default, I think it
> should be left unchanged.
>
>> If you are OK, I can make the changes for this points.
> It would be easier to track these as separate Bugzilla issues.

I will put the tickets on bugzilla:
1) remove https spoofing and filter
2) change the default implementation to http request to HC4 (if ok)

Milamber

>
>> Thanks in advance for your feedback or your agree.
>>
>> Milamber

Re: For the next release

[sebb <se...@gmail.com>]

On 25 August 2012 15:22, Milamber <mi...@apache.org> wrote:
> Hello,
>
> For the next release, I propose:
>
> a) Since JMeter 2.4 and the capabilities to record HTTPS request by JMeter
> proxy, I propose to remove the options "Attempt HTTPS Spoofing" and "Only
> spoof URLS matching" on the HTTP Proxy Server element.

OK.

> b1) renew the JMeter self-certificat (current expire date is 2014-08-04, to
> a long period (20 years)

Not so sure about that; it was deliberately chosen to expire so it
could not be forgotten.

> b2) Extract from the file proxyserver.jks the public (fake) key Apache
> JMeter to a PEM format, in a file "proxyserver.pem".

OK

> b3) Add some sentences in the proxy documentation to invite the user to add
> this public key as  a trusted CA in their browser or OS's certificat manager
> to permit the recording of a https session with JMeter proxy (and remove it
> at the end of record).

I think that is a bad idea.
The fake key should never be added as trusted.
Far too easy for it to be accidentally left enabled.

> (or Accept temporary the certificate from the browser)

OK.

> c) Make HTTPClient 3.1 to the default HTTP Request (and Proxy generated
> request)

Why not default to HC4 ?

HC3.1 is end-of-line and won't be developed further.

If we don't feel we are ready to make HC4 the default, I think it
should be left unchanged.

> If you are OK, I can make the changes for this points.

It would be easier to track these as separate Bugzilla issues.

> Thanks in advance for your feedback or your agree.
>
> Milamber