57717 – make HTTP sampler to check certificate on SSL/TLS connections

Bug 57717 - make HTTP sampler to check certificate on SSL/TLS connections

Summary: make HTTP sampler to check certificate on SSL/TLS connections

Status:	NEW

Alias:	None

Product:	JMeter - Now in Github
Classification:	Unclassified
Component:	HTTP (show other bugs)
Version:	2.12
Hardware:	All All

Importance:	P2 enhancement (vote)
Target Milestone:	---
Assignee:	JMeter issues mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-03-16 21:01 UTC by ateles.belzebuth.hybridus+apache
Modified:	2015-03-17 22:11 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ateles.belzebuth.hybridus+apache 2015-03-16 21:01:15 UTC

The HTTP Sampler does not check the server certificate during the TLS handshake. This behavior opens the connection to man-in-the-middle attacks. While this behavior is acceptable for test scenarios where security is not a concern, it can become a serious problem in a productive environment; e.g. if JMeter is used for performance monitoring of a web application.
Can you add a switch (checkbox or jmeter property) that allows enabling certificate checks?

Best regards, @

Comment 1 Sebb 2015-03-17 01:39:49 UTC

JMeter was deliberately coded to ignore SSL certificate checks (and host names) so as to allow testing more sites.

JMeter is not intended for use as part of a production system, though of course it can be used to test production systems. So security is not really a concern.

Having said that, it might well be useful to enable stricter SSL checking. There are various ways that this could be implemented.

There are several checks that can be implemented:
- hostname
- certificate chain
- expiry date
- certificate type

There are also at least two ways to handle checks that fail:
- log a warning
- fail the sample with an error

Comment 2 ateles.belzebuth.hybridus+apache 2015-03-17 22:11:45 UTC

(In reply to Sebb from comment #1)

> JMeter is not intended for use as part of a production system, though of
> course it can be used to test production systems. So security is not really
> a concern.

This is what we do. We use JMeter to monitor productive servers. However, for various reasons the host running JMeter and the monitored servers aren't connected to the same LAN. So network security is a concern.

> There are several checks that can be implemented:
> - hostname
> - certificate chain
> - expiry date
> - certificate type

All of them should be done. I hope Java offers library functions to perform this task, so the checks won't need to be implemented by JMeter itself.

> There are also at least two ways to handle checks that fail:
> - log a warning

This can be usefuly for debugging in a non-critical environment.

> - fail the sample with an error

To obtain security, in case of an invalid certificate the connection must be shut down before any HTTP data (e.g. session cookie, login credentials) is transmitted.

Comment 3 The ASF infrastructure team 2022-09-24 20:37:59 UTC

This issue has been migrated to GitHub: https://github.com/apache/jmeter/issues/3564