jmeter-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: SMTP Sampler and TLSv1.2/CipherSuites
Date Sun, 07 Jun 2015 12:10:09 GMT
Am 07.06.2015 um 11:12 schrieb Rainer Jung:
> Am 06.06.2015 um 17:59 schrieb Felix Schumacher:
>> Hi all,
>>
>> to enable the SMPT Sampler to use a higher TLS version than TLSv1 it
>> seems to be necessary to change the SSLContext.getInstance call in
>> TrustAllSSLSocketFactory from "TLS" to "TLSv1.2".
>
> Any idea why? When I test java HTTP connectivity, then "TLS" is able 
> to connect TLSv1.2 if the JVM is new enough end the server supports 
> it. "TLS" in getInstance() is not very wel documented, but in general 
> seems to support al TLS versions trying to use the newest one 
> supported by both sides.
>
> There's also the possibility to set enabledProtocols() which does not 
> support the string "TLS", but only the explicit protocol versions. But 
> even without setting enabled protocols and just sticking to defaults,I 
> can get a TLSv1.2 (HTTP) connection with Java 8 and e.g. a TLSv1 
> connection with Java 6, both creating the SSLContext via 
> getInstance("TLS").
I have done my tests using java 7. When I repeated them with java 8 
(after I wrote the text below), I got the same results, as you reported. 
So it seems to be a problem with java 7 only.

>
> Is there a public SMTP server which can be used to observe the problem 
> you see?
I have used a docker image (catatnight/postfix) with self signed certs. 
Instead of running it directly, I started a shell with it:

$ docker run -ti -p 587:587  -e maildomain=whatever.local -e smtp_user=user:pwd -v "${PATH_TO_CERTS}":/etc/postfix/certs
catatnight/postfix /bin/bash

Inside the new prompt I used the install.sh script from the docker 
image, so that my keys get used and disabled every protocol except TLSv1.2:

root@abc...:/# /opt/install.sh
# Some message about missing dkim keys (can be ignored)
root@abc...:/# postconf -e 'smtpd_tls_mandatory_protocols=TLSv1.2'
root@abc...:/# service postfix start
# Message that postfix started

In another terminal I used openssl to connect to the server with TLSv1.2 
(success) and TLSv1.2 (no success) using:

$ openssl s_client -tls1_2 -starttls smtp -connect localhost:587
# ...
# ---
# 250 DSN
quit
$ openssl s_client -tls1_1 -starttls smtp -connect localhost:587
# ...
# ---
$

With this setup and the getInstance("TLS") I got no connection, while 
getInstance("TLSv1.2") gave me a connection.

When I start the postfix server in its default configuration (every 
protocol allowed except SSLv2), JMeter is able to make a connection, but 
will use TLSv1 only.

This test was done on ubuntu 14.04 LTS with OpenJDK 1.7.0_79. And after 
I wrote this text I repeated the tests with Oracles java versions 
1.7.0_80, 1.8.0_45 and 1.9.0-ea-b66 where java 8 and 9 successfully 
created a connection with getInstance("TLS") and java 7 did not.

So it seems to be a problem with java 7 and getInstance("TLS") only.

Should we still add a system property to influence the selection of the 
used protocol?

Regards
  Felix
>
> Regards,
>
> Rainer


Mime
View raw message