Bug 57717 - make HTTP sampler to check certificate on SSL/TLS connections
Summary: make HTTP sampler to check certificate on SSL/TLS connections
Status: NEW
Alias: None
Product: JMeter
Classification: Unclassified
Component: HTTP (show other bugs)
Version: 2.12
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: JMeter issues mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-16 21:01 UTC by ateles.belzebuth.hybridus+apache
Modified: 2015-03-17 22:11 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ateles.belzebuth.hybridus+apache 2015-03-16 21:01:15 UTC
The HTTP Sampler does not check the server certificate during the TLS handshake. This behavior opens the connection to man-in-the-middle attacks. While this behavior is acceptable for test scenarios where security is not a concern, it can become a serious problem in a productive environment; e.g. if JMeter is used for performance monitoring of a web application.
Can you add a switch (checkbox or jmeter property) that allows enabling certificate checks?

Best regards, @
Comment 1 Sebb 2015-03-17 01:39:49 UTC
JMeter was deliberately coded to ignore SSL certificate checks (and host names) so as to allow testing more sites.

JMeter is not intended for use as part of a production system, though of course it can be used to test production systems. So security is not really a concern.

Having said that, it might well be useful to enable stricter SSL checking. There are various ways that this could be implemented.

There are several checks that can be implemented:
- hostname
- certificate chain
- expiry date
- certificate type

There are also at least two ways to handle checks that fail:
- log a warning
- fail the sample with an error
Comment 2 ateles.belzebuth.hybridus+apache 2015-03-17 22:11:45 UTC
(In reply to Sebb from comment #1)

> JMeter is not intended for use as part of a production system, though of
> course it can be used to test production systems. So security is not really
> a concern.

This is what we do. We use JMeter to monitor productive servers. However, for various reasons the host running JMeter and the monitored servers aren't connected to the same LAN. So network security is a concern.

> There are several checks that can be implemented:
> - hostname
> - certificate chain
> - expiry date
> - certificate type

All of them should be done. I hope Java offers library functions to perform this task, so the checks won't need to be implemented by JMeter itself.

> There are also at least two ways to handle checks that fail:
> - log a warning

This can be usefuly for debugging in a non-critical environment.

> - fail the sample with an error

To obtain security, in case of an invalid certificate the connection must be shut down before any HTTP data (e.g. session cookie, login credentials) is transmitted.