The HTTP Sampler does not check the server certificate during the TLS handshake. This behavior opens the connection to man-in-the-middle attacks. While this behavior is acceptable for test scenarios where security is not a concern, it can become a serious problem in a productive environment; e.g. if JMeter is used for performance monitoring of a web application. Can you add a switch (checkbox or jmeter property) that allows enabling certificate checks? Best regards, @
JMeter was deliberately coded to ignore SSL certificate checks (and host names) so as to allow testing more sites. JMeter is not intended for use as part of a production system, though of course it can be used to test production systems. So security is not really a concern. Having said that, it might well be useful to enable stricter SSL checking. There are various ways that this could be implemented. There are several checks that can be implemented: - hostname - certificate chain - expiry date - certificate type There are also at least two ways to handle checks that fail: - log a warning - fail the sample with an error
(In reply to Sebb from comment #1) > JMeter is not intended for use as part of a production system, though of > course it can be used to test production systems. So security is not really > a concern. This is what we do. We use JMeter to monitor productive servers. However, for various reasons the host running JMeter and the monitored servers aren't connected to the same LAN. So network security is a concern. > There are several checks that can be implemented: > - hostname > - certificate chain > - expiry date > - certificate type All of them should be done. I hope Java offers library functions to perform this task, so the checks won't need to be implemented by JMeter itself. > There are also at least two ways to handle checks that fail: > - log a warning This can be usefuly for debugging in a non-critical environment. > - fail the sample with an error To obtain security, in case of an invalid certificate the connection must be shut down before any HTTP data (e.g. session cookie, login credentials) is transmitted.
This issue has been migrated to GitHub: https://github.com/apache/jmeter/issues/3564