ssl client certs

[ghost]

I wondered if you'd ever thought of supporting ssl client certs?

[tsenart]

What is the exact use case?

[ghost]

At the BBC we have a number of web services using SSL encryption (HTTPS) which the client can only communicate through with an SSL cert. JMeter and Tsung support such certification, but I am looking for a tool where I can write tests as code (not XML). I don't know enough about Go to add it in myself, but I intend to learn Go as I eventually want to contribute to an OS load-test tool.

[tsenart]

This functionality can be added relatively easily. I'll try to find the time to do it soon.

[ghost]

Many Thanks.

[tsenart]

@AidyLewis: Please download the latest release and let me know if it solves your problem.

[ghost]

Tested an endpoint without cert and I received a handshake failure in the results.
Tried a P12 which gave a bad cert.
converted p12 => pem with this command
$ openssl pkcs12 -nodes -in cert.p12 -out cert.pem
Again, I received a handshake failure.

using:
$ vegeta attack -duration=10s -rate=10 -targets=targets.txt -output=results.bin -cert=dev-cert.pem

I will try another .pem.

@AidyLewis

[tsenart]

Please include the inputs and outputs of your test runs. I suggest you run it as such:

echo "GET https://$HOSTNAME:$PORT" | vegeta attack -cert="$CERT" -duration=1s -rate=10 | tee results.bin | vegeta report

[ghost]

Hi,

I've attempted every conceivable way of converting a p12 to pem.

echo "GET https://api.stage.bbc.co.uk/locator/locations?order=importance&s=NW9%207NT&a=true" | vegeta attack -cert="dev-cert.pem" -duration=1s -rate=10 | tee results.bin | vegeta report
2014/09/09 17:30:56 Vegeta is attacking 1 targets in random order for 1s...
2014/09/09 17:30:57 Done! Writing results to 'stdout'...
Requests [total] 10
Duration [total] 899.647219ms
Latencies [mean, 50, 95, 99, max] 107.159577ms, 20.537454ms, 280.954271ms, 280.954271ms, 382.503234ms
Bytes In [total, mean] 0, 0.00
Bytes Out [total, mean] 0, 0.00
Success [ratio] 0.00%
Status Codes [code:count] 0:10
Error Set:
Get https://api.stage.bbc.co.uk/locator/locations?order=importance&s=NW9%207NT&a=true: remote error: handshake failure

[tsenart]

I am no expert in openssl but have you converted the certificate with the following?
openssl pkcs12 -in cert.p12 -passin pass:password -out cert.pem

I presume you are able to connect to your server with openssl directly. Is that the case?

[ghost]

I have not forgotten about this, I'll re-attempt it again this afternoon.

[ghost]

Hi,

I have managed to curl on the dev svn repo which uses ssl

curl --cert dev-cert.pem --cacert ca.pem https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/bake-scripts/set-up

But still unable to use the vegeta cert switch:

echo "GET https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/bake-scripts/set-up" | vegeta attack -cert="dev-cert.pem" -duration=1s -rate=10 | tee results.bin | vegeta report

....
Error Set:
Get https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/bake-scripts/set-up: remote error: handshake failure

Many Thanks

Aidy

[tsenart]

Historically, there have been a number of issues with SSL code in the Go standard library. I can only attempt to solve this if your provide me with a certificate to debug with.

[ghost]

Hi @tsenart

It is impossible for me to provide you with a BBC cert, so the options are:

1. I create a web application that uses SSL certification and generate my own certs
2. Try to debug it myself.

I am learning Go at the moment, so I will have a go at debugging it myself (but it may take some time).

Many Thanks

Aidy

ps https://github.com/BBC/load-test-artefacts#vegeta

[ghost]

I see in your tests you have a cert.pem and a key.pem. Do I need to pass these files separately? Also do I not need a ca.pem?

[tsenart]

What do you mean, you have to pass these files directly? Have a look at http://golang.org/pkg/crypto/tls/#LoadX509KeyPair which would be used for a server.

[ghost]

It looks like we need to pass the public cert file and the private key separately. I currently have them bundled in one pem.

So wouldn't we need to do:
-certs public-cert.pem, private-key.pem

Which then get passed into LoadX509KeyPair function?

Aidy

[pascalhofmann]

vegeta does not support ssl client certs.
See https://golang.org/pkg/crypto/tls/#Config

    // Certificates contains one or more certificate chains
    // to present to the other side of the connection.
    // Server configurations must include at least one certificate.
    Certificates []Certificate

but vegeta sets:

    // RootCAs defines the set of root certificate authorities
    // that clients use when verifying server certificates.
    // If RootCAs is nil, TLS uses the host's root CA set.
    RootCAs *x509.CertPool

[tsenart]

@pascalhofmann: Contributions welcome! I'm quite busy the following weeks... :-)

[pascalhofmann]

Sorry, I'm very busy too. :(

I ended up deactivating the client certificate check for the load testing…

[ghost]

Is this just a matter of swapping the correct library in?

[tsenart]

@aidylewis: Would you mind building this branch and trying it out?

[ghost]

Hi @tsenart

Brilliant. I will test it out tomorrow, while I am at work.

[tsenart]

@aidylewis: Any luck?

[ghost]

I can connect through wget, but not through vegata

$ Downloads wget --certificate=dev-cert.pem  "https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json"
--2015-11-17 14:09:51--  https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json
Resolving repo.dev.bbc.co.uk... 212.58.247.19
Connecting to repo.dev.bbc.co.uk|212.58.247.19|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 175 [text/plain]
Saving to: 'project.json'

project.json                                                        100%[=====================================================================================================================================================================>]     175  --.-KB/s   in 0s

2015-11-17 14:09:51 (4.91 MB/s) - 'project.json' saved [175/175]

$ Downloads echo "GET https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json" | ./vegeta attack -duration=2s -cert=dev-cert.pem | tee results.bin | ./vegeta report
Requests      [total, rate]            100, 50.51
Duration      [total, attack, wait]    6.043667687s, 1.97999991s, 4.063667777s
Latencies     [mean, 50, 95, 99, max]  5.004173227s, 5.019698473s, 5.847646365s, 5.982105909s, 6.009408941s
Bytes In      [total, mean]            0, 0.00
Bytes Out     [total, mean]            0, 0.00
Success       [ratio]                  0.00%
Status Codes  [code:count]             0:100
Error Set:
Get https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json: remote error: handshake failure

[tsenart]

OK, let's try to figure this out over chat: https://gitter.im/tsenart/vegeta

[ghost]

After @tsenart fix, I converted a p12 to a pem with the openssl command:

openssl pkcs12 -nodes -in /path/to/my/cert.p12 -out /pathto/my/cert.pem

This bundles the private key and public cert in the pem.

I then ran:

echo "GET https://whatever" | ./vegeta attack -duration=2s -cert=dev-cert.p12 -key=dev-cert.12 | tee results.bin | ./vegeta report

[tsenart]

@aidylewis: Can you download the pre release binaries again and try to use it without specifying the -key flag?

[ghost]

OK

[ghost]

Yep, works

Downloads echo "GET https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json" | ./vegeta attack -duration=2s -cert=dev-cert.pem | tee results.bin | ./vegeta report
Requests      [total, rate]            100, 50.51
Duration      [total, attack, wait]    2.042449332s, 1.979999923s, 62.449409ms
Latencies     [mean, 50, 95, 99, max]  63.527419ms, 60.675998ms, 79.496796ms, 100.795968ms, 125.271955ms
Bytes In      [total, mean]            17500, 175.00
Bytes Out     [total, mean]            0, 0.00
Success       [ratio]                  100.00%
Status Codes  [code:count]             200:100
Error Set:

Thanks for all you help @tsenart

[tsenart]

Great! :)

[tsenart]

And sorry for taking more than a year (!!!) to fix this.

[ghost]

Hi @tsenart

I am receiving this error on a site: "x509: certificate signed by unknown authority"

Do I need to pass a ca.pem as well?

[tsenart]

That means that site's certificate isn't signed by any of the trusted CAs in your system. If you open that site in your browser, is it trusted?

[ghost]

Good point. No.

[tsenart]

Well, then, what is the expected behaviour for you? Would you want a flag that disables certificate verification?

[ghost]

I was too shy to ask, but that'd be nice.

In return I could write a BBC technology blog that includes Vegeta if you were interested and I don't mind giving a recurring "tip" as a thank you for your work.

[tsenart]

Hehe, don't be shy! You didn't need to offer me such thing, but I won't say
no :-) I'll try to have something ready by tomorrow.

On Thu, 26 Nov 2015 at 19:44, aidylewis notifications@github.com wrote:

I was too shy to ask, but that'd be nice.

In return I could write a BBC technology blog that includes Vegeta if you
were interested and I don't mind giving a recurring "tip" as a thank you
for your work.

—
Reply to this email directly or view it on GitHub
#63 (comment).

[ghost]

I'll ping you offline about the blog.

[ghost]

Hi @tsenart

I cannot find your email on the internet. Mine is adrian dot lewis at bbc dot co dot uk.

[sattishv]

Even i am facing the same issue ."x509: certificate has expired or is not yet valid: current time". Tried accepting the certificates through browser to make it trusted but it didnt . Is the disable SSL verification option available in vegeta. Can you please calrify

[stephenwsun]

@sattishv I believe the flag that you need to disable SSL verification is insecure. Set -insecure=true and that should work for you.

[sattishv]

Thanks Will check disabling it

…

On Wed, Mar 2, 2022 at 9:38 PM Stephen Sun ***@***.***> wrote: @sattishv <https://github.com/sattishv> I believe the flag that you need to disable SSL verification is insecure. Set -insecure=true and that should work for you. — Reply to this email directly, view it on GitHub <#63 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABY2VGKEKIXHHLPHIUPCAPTU56G7TANCNFSM4AT6WRKA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>

-- with regards, Sattish 9940080070