Am 07.06.2015 um 11:12 schrieb Rainer Jung:
Am 06.06.2015 um 17:59 schrieb Felix Schumacher:
Hi all,
to enable the SMPT Sampler to use a higher TLS version than TLSv1 it
seems to be necessary to change the SSLContext.getInstance call in
TrustAllSSLSocketFactory from "TLS" to "TLSv1.2".
Any idea why? When I test java HTTP connectivity, then "TLS" is able
to connect TLSv1.2 if the JVM is new enough end the server supports
it. "TLS" in getInstance() is not very wel documented, but in general
seems to support al TLS versions trying to use the newest one
supported by both sides.
There's also the possibility to set enabledProtocols() which does not
support the string "TLS", but only the explicit protocol versions. But
even without setting enabled protocols and just sticking to defaults,I
can get a TLSv1.2 (HTTP) connection with Java 8 and e.g. a TLSv1
connection with Java 6, both creating the SSLContext via
getInstance("TLS").
I have done my tests using java 7. When I repeated them with java 8
(after I wrote the text below), I got the same results, as you reported.
So it seems to be a problem with java 7 only.
Is there a public SMTP server which can be used to observe the problem
you see?
I have used a docker image (catatnight/postfix) with self signed certs.
Instead of running it directly, I started a shell with it:
$ docker run -ti -p 587:587 -e maildomain=whatever.local -e smtp_user=user:pwd -v
"${PATH_TO_CERTS}":/etc/postfix/certs catatnight/postfix /bin/bash
Inside the new prompt I used the install.sh script from the docker
image, so that my keys get used and disabled every protocol except TLSv1.2:
root@abc...:/# /opt/install.sh
# Some message about missing dkim keys (can be ignored)
root@abc...:/# postconf -e 'smtpd_tls_mandatory_protocols=TLSv1.2'
root@abc...:/# service postfix start
# Message that postfix started
In another terminal I used openssl to connect to the server with TLSv1.2
(success) and TLSv1.2 (no success) using:
$ openssl s_client -tls1_2 -starttls smtp -connect localhost:587
# ...
# ---
# 250 DSN
quit
$ openssl s_client -tls1_1 -starttls smtp -connect localhost:587
# ...
# ---
$
With this setup and the getInstance("TLS") I got no connection, while
getInstance("TLSv1.2") gave me a connection.
When I start the postfix server in its default configuration (every
protocol allowed except SSLv2), JMeter is able to make a connection, but
will use TLSv1 only.
This test was done on ubuntu 14.04 LTS with OpenJDK 1.7.0_79. And after
I wrote this text I repeated the tests with Oracles java versions
1.7.0_80, 1.8.0_45 and 1.9.0-ea-b66 where java 8 and 9 successfully
created a connection with getInstance("TLS") and java 7 did not.
So it seems to be a problem with java 7 and getInstance("TLS") only.
Should we still add a system property to influence the selection of the
used protocol?
Regards
Felix
Regards,
Rainer
