Bug 57935 - SSL SNI extension not supported by HttpClient 4.2.6
Summary: SSL SNI extension not supported by HttpClient 4.2.6
Status: RESOLVED FIXED
Alias: None
Product: JMeter
Classification: Unclassified
Component: HTTP (show other bugs)
Version: 2.13
Hardware: PC Linux
: P2 major with 1 vote (vote)
Target Milestone: ---
Assignee: JMeter issues mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-19 07:25 UTC by Jerome
Modified: 2016-02-23 18:46 UTC (History)
2 users (show)



Attachments
JMX to reproduce the issue (4.78 KB, application/xml)
2015-05-19 07:25 UTC, Jerome
Details
Test plan to reproduce issue (4.75 KB, application/xml)
2015-12-23 13:31 UTC, Philippe Mouawad
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jerome 2015-05-19 07:25:23 UTC
Created attachment 32743 [details]
JMX to reproduce the issue

I was undergoing tests on our AWS platform and JMeter was failing to query HTTPS CloudFront urls. The following exception happens when executing an HTTP Sampler with HC4 implementation:

> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
>	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>	at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
>	at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2011)
>	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1113)
>	at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
...

After investigating more about this issue, i found out the bug is related to the Server Name Extension.

HTTPClient 4.2.x sends the following handshake:

> Thread Group 1-1, WRITE: TLSv1.2 Handshake, length = 207
> Thread Group 1-1, READ: TLSv1.2 Alert, length = 2
> Thread Group 1-1, RECV TLSv1.2 ALERT:  fatal, handshake_failure
> Thread Group 1-1, called closeSocket()
> Thread Group 1-1, handling exception: javax.net.ssl.SSLHandshakeException: > Received fatal alert: handshake_failure

HTTPClient 3.1 which works fine, it sends the following handshake:

> Extension server_name, server_name: [type=host_name (0), > value=d1lto7any9tcj3.cloudfront.net]
> ***
> Thread Group 1-1, WRITE: TLSv1.2 Handshake, length = 245
> Thread Group 1-1, READ: TLSv1.2 Handshake, length = 61
> *** ServerHello, TLSv1.2

The current version of JMeter's HttpClient (4.2.6) has a major SSL issue, it does not support SSL Server Name Extension (SNI):
https://issues.apache.org/jira/browse/HTTPCLIENT-1119

As HTTPClient 3.1 will be discontinued and usage is discouraged, we should upgrade HTTPClient to the latest version to benefit bug fixes and improvements.
Comment 1 William L 2015-06-12 05:23:25 UTC
+1 for this issue.

This is also related to #57319.

When trying to verify SNI handling behaviours in a proxy it would be better to be able to use supported versions than something that is approaching EOL.
Comment 2 Philippe Mouawad 2015-12-23 13:31:04 UTC
Created attachment 33372 [details]
Test plan to reproduce issue
Comment 3 Philippe Mouawad 2016-02-17 10:55:58 UTC
Author: 	pmouawad
Date: 	Wed Feb 17 10:47:40 2016 UTC (4 minutes, 21 seconds ago)
New revision : 1730810

URL : http://svn.apache.org/viewvc?view=revision&revision=1730810
Changed paths: 	3
Log Message: 	

Bug 57935 - SSL SNI extension not supported by HttpClient 4.2.6
Bugzilla Id: 57935

Added:
jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/sampler/JMeterClientConnectionOperator.java

Modified:
jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/sampler/MeasuringConnectionManager.java
jmeter/trunk/xdocs/changes.xml
Comment 4 Philippe Mouawad 2016-02-17 10:58:28 UTC
Hi reporter, commenters,
issue is fixed in nightly build (available tomorrow), your feedback is welcome.
Thanks
Comment 5 Jerome 2016-02-23 18:46:12 UTC
Hi Philippe,

Thanks for the fix, i tested Build #4986 and it works fine.

Best regards,
Jerome Loisel