Felix Schumacher <[email protected]> schrieb am 13:25
Freitag, 17.Juli 2015:
Am 15. Juli 2015 11:17:33 MESZ, schrieb George <[email protected]>:
>Hello,
> Could you try to not top-post? And my mail client has problems showing some
> of your new lines, which makes reading your malls harder than it should be.
OK sorry. I'm using the yahoo webmail client and just click "reply".
>i have now the r1609478 running and have set up in the
>jmeter.properties to use TLSv1.2.But this setting is only for "http"...
>and not for smtp. Anyway i set to be TLSv1.2
> Right, http and smtp samplers have quite different settings.
>It's still not running. I put the Debug on an i see on my terminal: ***
>CelintHello, TLSv1In JMeter logger panel i see:
>jmeter.protocol.smtp.sampler.protocol.SendMailCommand: User ssl/tls
>protocols for mail: SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2But when i
>try to connect on port: 465 it's not working.
> Are these three only debug messages? Could you post the complete log messages
> somewhere? It would be best to have logs from the nightly build and the
> latest official build.
> Maybe a tcpdump of both tries could help.
Attached a screeshot of my tcpdump. As you can see the "Client Hello" is done
using TLSv1.0
>I also tried with a native mail client Thunderbird 31.4 which supports
>TLSv1.2.There it works perfectly like a charm from the beginning on.
>In my Serverlogs i see this: SSL-Tunnel established (TLSv1.2
>ECDHE-RSA-AES128-GCM-SHA256 (128/128)Of cource it's not the strong
>ciper: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 but with Thunderbird its
>working with at least TLSv1.2.
>Thus:My Server works perfectly and accept TLSv1.2 connections ONLY.If a
>client try to connect with anything below TLSv1.2 then my server do not
>accept it.
> Is the mail server reachable via a public address, so that I could try to
> access it?
No the mail server is not public - sorry
>For testing purposes i can activate TLSv1.1 and TLSv1.0 and then JMeter
>is working too.
>
>
>
>Maybe some more info.If i use JMeter and the HTTP Sampler then i can do
>TLSv1.2 connections with the strong cipher.But for this i need to put
>this:
>JMETER_OPTS="-Dhttps.cipherSuites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
>in my jmeter.sh start script.
>So: HTTP and TLSv1.2 and strong cipher = works with JMeterSMTP with
>TLSv1.2 = is (still) not workingSMTP with TLSv1.2 and strong cipher =
>also not working
> Well http and smtp tls are two different beats with respect to jmeter.
> Would you be able to build jmeter yourself and apply patches?
technically yes i do have java dev. skills.I will try to get the latest source
and apply tlsv1.2 for smtp(s).Maybe we should make the same steps for smtp(s)
as for http(s) and extend the jmeter.properties having also smtp(s)
parameters?also adding support for "-Dsmtps.cipherSuites..." would be good to
apply a cipherstring you want only to have?
BrGeorge
>Regards,
>Felix
>
>
>BrGeorge
>
>
>
>
>Felix Schumacher <[email protected]> schrieb am 17:45
>Mittwoch, 17.Juni 2015:
>
>
>
>
>Am 9. Juni 2015 11:41:42 MESZ, schrieb George <[email protected]>:
>>HI,
>>ok i will get the nightly build and try it out.
>
>Have you tried the nightly and did it help you?
>
>Regards,
>Felix
>
>>BrGeorge
>>
>>
>>
>>Felix Schumacher <[email protected]> schrieb am 19:31
>>Montag, 8.Juni 2015:
>>
>>
>> Am 08.06.2015 um 15:12 schrieb George:
>>> Hello Felix,
>>>
>>>
>>> Felix Schumacher <[email protected]> schrieb am
>>14:58 Sonntag, 7.Juni 2015:
>>>
>>>
>>> Am 06.06.2015 um 17:54 schrieb Felix Schumacher:
>>>> Hi George,
>>>>
>>>> Am 03.06.2015 um 12:11 schrieb George:
>>>>> Hello,
>>>>> yes my server can do tls 1.2 perfectly and also with the above
>>>>> (strong) cipher.I did some more tests where i modify step by step
>>my
>>>>> server configuration until it works and here are my results.
>>>>> Test 1:My server allows ONLY tls 1.2 and ONLY the cipher
>>>>> ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
>>>>> Test 2:My server allows ONLY tls 1.2 and ANY cipher
>>>>> Test 3:My server allows tls 1.2 and tls 1.1 and ANY cipher
>>>>> Test 4:My server allows tls 1.2 and tls 1.1 and tls 1.0 and ANY
>>cipher
>>>>>
>>>>> My jmeter.properties is set to do tls1.2 only - but the SSL
>>>>> configuration is only for the http protocol and not for
>>smtp(s).Thus
>>>>> i think this does not care.I have java jre 1.8 latest plus the
>>oracle
>>>>> security "Unlimited Strength Java Cryptography Extension Policy
>>>>> Files" pakage.
>>>>> My jmeter test plan is very easy.
>>>>> One thread one smtp sampler and one "view results in tree".The
>SMTP
>>>>> Sampler target my mail server on port "465" and the checkbox "use
>>>>> ssl" is enabled and the hook "Trust all certificates" is enabled
>>>>> too.There is one Subject: hello and Email body: hello. Simple
>>>>> Results:Test 1: Fail - no ssl handshakeTest 2: Fail - no ssl
>>>>> handshakeTest 3: Fail - no ssl handshakeTest 4: Success: Perfectly
>>>>> SSL Handshake. SSL Connection established using "TLSv1
>>>>> ECDHE-ECDSA-AES256-SHA" (no client certificate checkup <- means no
>>>>> mutual ssl)
>>>>> OK thus it works.I can sent an email with jmeter SMTP sampler
>using
>>>>> (direct) ssl on port 465 - but it only works if i activate tls1.0.
>>>>> I do not found any jmeter configuration about "smtps".
>>>>>
>>>>> I did some further tests wirh thunderbird 31.4 (on a linux).Here
>>the
>>>>> results.Test 1: Fails - no ssl connectionTest 2, 3 and 4: Success.
>>>>> Looking on the thunderbird settings its strange but the cipher i
>>want
>>>>> to use is not available. Thus i can do tls1.2 but not with my
>>>>> "strong" cipher.
>>>>> Br.George
>>>> I have added a few println's in TrustAllSSLSocketFactory and found,
>>>> that I have to change the line where the sslcontext is created
>first
>>>> by calling SSLContext.getInstance("TLS").
>>>>
>>>> When you change that occurence of TLS to TLSv1.2 you should get a
>>>> TLSv1.2 connection with a string cipher suite.
>>>>
>>>> This default setting should probably be configurable as the used
>>>> cipher suites.
>>>> After a bit more research, the behaviour seems to be different
>>between
>>>> java 7 and java 8. In my tests java 8 was able to do a TLSv1.2
>>connect
>>>> with getInstance("TLS"), while java 7 was not.
>>>> Can you double check, that you are using java 8?
>>> yes i'm using java 8. java -version gives me: java version
>>"1.8.0_20".
>>> It's not the newest java 8 but it is java 8 for sure.
>>> I'm not sure what you mean about "SSLContext.getInstance("TLS") and
>>where to change it to "TLSv1.2" ?
>>You could have changed it inside the source code of the class. But
>>don't
>>bother with it anymore.
>>> I did some debugging test and have activated the jmeter properites
>to
>>"DEBUG" (log level) and i also put the debug on in the
>>system.properties for ssl (all).When i configure my server to accept
>>TLSv1.0, TLSv1.1 and TLSv1.2 then jmeter ssl works and i see the
>>following:
>>> trigger seeding of SecureRandomdone seeding
>>SecureRandom***ClientHello, TLSv1***ServerHello, TLSv1%% Initialized:
>>[Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]**
>>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA*** Certificate chain*** ECDH
>>ServerKeyExchange*** ServerHelloDone***ECDHClientKeyExchange.....
>>> Now i change my server to only allow TLSv1.2 and then i see this:
>>> *** ClientHello, TLSv1
>>> and then broken pipe and "SEND TLSv1.2 ALERT: fatal, description =
>>handshare_failure
>>> The same error if i turn on TLSv1.1.
>>>
>>> Well i do not know how to tun on TLSv1.2 for SMTP in Jmeter?
>>> There are some configuration properties for http(s) and this works
>>perfectly with TLSv1.2But not for SMTP.
>>
>>I have filed a bug request
>>(https://bz.apache.org/bugzilla/show_bug.cgi?id=58013) and submitted a
>>fix.
>>
>>Could you try it out?
>>
>>The next nightly should have the fix, or you can build jmeter yourself
>
>>from source.
>>
>>Regards
>> Felix
>>> BrGeorge
>>>
>>>
>>>
>>>> Regards
>>> > Felix
>>>> Regards
>>>> Felix
>>>>
>>>>>
>>>>>
>>>>> Felix Schumacher <[email protected]>
>schrieb
>>am
>>>>> 10:29 Montag, 1.Juni 2015:
>>>>>
>>>>> Am 29.05.2015 um 13:16 schrieb George:
>>>>>> Hello,
>>>>>> i try to sent a "hello" email using SMTP Sampler and want to use
>>>>>> SSL/TLS on standard port 465 for this connection.More i want to
>>use
>>>>>> TLSv1.2 with the very strong cipher
>>>>>> "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"Currently the handshake
>>fail.
>>>>>> Technially if i change the configuration on my server to also
>>accept
>>>>>> TLSv1.1 and v1.0 then the SSL connection works and the email is
>>sent
>>>>>> perfectly.I see in the logs that the client (jmeter) and my
>server
>>>>>> aggreed on a cipher comming from TLS1.0.Thus in general SSL is
>>>>>> working but not with TLSv1.2.
>>>>>> Anyone any idea how i can use SMTP(s) with TLSv1.2 and the above
>>>>>> cipher?I tried to put this in my jmeter.sh file but seems it does
>>>>>> not matter?
>>>>>>
>>JMETER_OPTS="-Dhttps.cipherSuites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
>>>>>>
>>>>> The smtp sampler has no option to specify the wanted ciphersuites,
>>so
>>>>> the option given above will not be used.
>>>>>> I also installed lates java jdk and i also installed the
>>additional
>>>>>> strong security pakage and replaced the .jar files in
>>>>>> /usr/java/jre.../lib/security
>>>>> Which jdk did you install exactly?
>>>>>
>>>>> Have you checked (with openssl or something similar), that your
>>>>> mailserver is capable of TLSv1.2?
>>>>>
>>>>> Regards
>>>>> Felix
>>>>>> BrGeorge
>>>>>>
>>>>>>
>>>>>
>>---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: [email protected]
>>>>> For additional commands, e-mail: [email protected]
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [email protected]
>>>> For additional commands, e-mail: [email protected]
>>>>
>>>
>>>
>---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [email protected]
>>> For additional commands, e-mail: [email protected]
>>>
>>>
>>>
>>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: [email protected]
>>For additional commands, e-mail: [email protected]
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [email protected]
>For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
