ssl client certs about vegeta HOT 47 CLOSED

What is the exact use case?

from vegeta.

At the BBC we have a number of web services using SSL encryption (HTTPS) which the client can only communicate through with an SSL cert. JMeter and Tsung support such certification, but I am looking for a tool where I can write tests as code (not XML). I don't know enough about Go to add it in myself, but I intend to learn Go as I eventually want to contribute to an OS load-test tool.

from vegeta.

This functionality can be added relatively easily. I'll try to find the time to do it soon.

from vegeta.

Many Thanks.

from vegeta.

@AidyLewis: Please download the latest release and let me know if it solves your problem.

from vegeta.

Tested an endpoint without cert and I received a handshake failure in the results.
Tried a P12 which gave a bad cert.
converted p12 => pem with this command
$ openssl pkcs12 -nodes -in cert.p12 -out cert.pem
Again, I received a handshake failure.

using:
$ vegeta attack -duration=10s -rate=10 -targets=targets.txt -output=results.bin -cert=dev-cert.pem

I will try another .pem.

@AidyLewis

from vegeta.

Please include the inputs and outputs of your test runs. I suggest you run it as such:

echo "GET https://$HOSTNAME:$PORT" | vegeta attack -cert="$CERT" -duration=1s -rate=10 | tee results.bin | vegeta report

from vegeta.

Hi,

I've attempted every conceivable way of converting a p12 to pem.

echo "GET https://api.stage.bbc.co.uk/locator/locations?order=importance&s=NW9%207NT&a=true" | vegeta attack -cert="dev-cert.pem" -duration=1s -rate=10 | tee results.bin | vegeta report
2014/09/09 17:30:56 Vegeta is attacking 1 targets in random order for 1s...
2014/09/09 17:30:57 Done! Writing results to 'stdout'...
Requests [total] 10
Duration [total] 899.647219ms
Latencies [mean, 50, 95, 99, max] 107.159577ms, 20.537454ms, 280.954271ms, 280.954271ms, 382.503234ms
Bytes In [total, mean] 0, 0.00
Bytes Out [total, mean] 0, 0.00
Success [ratio] 0.00%
Status Codes [code:count] 0:10
Error Set:
Get https://api.stage.bbc.co.uk/locator/locations?order=importance&s=NW9%207NT&a=true: remote error: handshake failure

from vegeta.

I am no expert in openssl but have you converted the certificate with the following?
openssl pkcs12 -in cert.p12 -passin pass:password -out cert.pem

I presume you are able to connect to your server with openssl directly. Is that the case?

from vegeta.

I have not forgotten about this, I'll re-attempt it again this afternoon.

from vegeta.

Hi,

I have managed to curl on the dev svn repo which uses ssl

curl --cert dev-cert.pem --cacert ca.pem https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/bake-scripts/set-up

But still unable to use the vegeta cert switch:

echo "GET https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/bake-scripts/set-up" | vegeta attack -cert="dev-cert.pem" -duration=1s -rate=10 | tee results.bin | vegeta report

....
Error Set:
Get https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/bake-scripts/set-up: remote error: handshake failure

Many Thanks

Aidy

from vegeta.

Historically, there have been a number of issues with SSL code in the Go standard library. I can only attempt to solve this if your provide me with a certificate to debug with.

from vegeta.

Hi @tsenart

It is impossible for me to provide you with a BBC cert, so the options are:

1. I create a web application that uses SSL certification and generate my own certs
2. Try to debug it myself.

I am learning Go at the moment, so I will have a go at debugging it myself (but it may take some time).

Many Thanks

Aidy

ps https://github.com/BBC/load-test-artefacts#vegeta

from vegeta.

I see in your tests you have a cert.pem and a key.pem. Do I need to pass these files separately? Also do I not need a ca.pem?

from vegeta.

What do you mean, you have to pass these files directly? Have a look at http://golang.org/pkg/crypto/tls/#LoadX509KeyPair which would be used for a server.

from vegeta.

It looks like we need to pass the public cert file and the private key separately. I currently have them bundled in one pem.

So wouldn't we need to do:
-certs public-cert.pem, private-key.pem

Which then get passed into LoadX509KeyPair function?

Aidy

from vegeta.

vegeta does not support ssl client certs.
See https://golang.org/pkg/crypto/tls/#Config

    // Certificates contains one or more certificate chains
    // to present to the other side of the connection.
    // Server configurations must include at least one certificate.
    Certificates []Certificate

but vegeta sets:

    // RootCAs defines the set of root certificate authorities
    // that clients use when verifying server certificates.
    // If RootCAs is nil, TLS uses the host's root CA set.
    RootCAs *x509.CertPool

from vegeta.

@pascalhofmann: Contributions welcome! I'm quite busy the following weeks... :-)

from vegeta.

Sorry, I'm very busy too. :(

I ended up deactivating the client certificate check for the load testing…

from vegeta.

Is this just a matter of swapping the correct library in?

from vegeta.

@aidylewis: Would you mind building this branch and trying it out?

from vegeta.

Hi @tsenart

Brilliant. I will test it out tomorrow, while I am at work.

from vegeta.

@aidylewis: Any luck?

from vegeta.

I have been off sick with a cold. Will check first thing today. Many apologies.

from vegeta.

Oh please, don't apologize for that! Get well soon!
On Tue, 17 Nov 2015 at 08:33, aidylewis [email protected] wrote:

I have been off sick with a cold. Will check first thing today. Many
apologies.

—
Reply to this email directly or view it on GitHub
#63 (comment).

from vegeta.

What would you consider to be the best way to install a branch? I was thinking of go getting the master, switching to the cert branch, and then doing an install.

from vegeta.

Made your life easier: https://github.com/tsenart/vegeta/releases/tag/v6.0.0-pre

from vegeta.

good man

from vegeta.

I can connect through wget, but not through vegata

$ Downloads wget --certificate=dev-cert.pem  "https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json"
--2015-11-17 14:09:51--  https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json
Resolving repo.dev.bbc.co.uk... 212.58.247.19
Connecting to repo.dev.bbc.co.uk|212.58.247.19|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 175 [text/plain]
Saving to: 'project.json'

project.json                                                        100%[=====================================================================================================================================================================>]     175  --.-KB/s   in 0s

2015-11-17 14:09:51 (4.91 MB/s) - 'project.json' saved [175/175]

$ Downloads echo "GET https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json" | ./vegeta attack -duration=2s -cert=dev-cert.pem | tee results.bin | ./vegeta report
Requests      [total, rate]            100, 50.51
Duration      [total, attack, wait]    6.043667687s, 1.97999991s, 4.063667777s
Latencies     [mean, 50, 95, 99, max]  5.004173227s, 5.019698473s, 5.847646365s, 5.982105909s, 6.009408941s
Bytes In      [total, mean]            0, 0.00
Bytes Out     [total, mean]            0, 0.00
Success       [ratio]                  0.00%
Status Codes  [code:count]             0:100
Error Set:
Get https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json: remote error: handshake failure

from vegeta.

OK, let's try to figure this out over chat: https://gitter.im/tsenart/vegeta

from vegeta.

After @tsenart fix, I converted a p12 to a pem with the openssl command:

openssl pkcs12 -nodes -in /path/to/my/cert.p12 -out /pathto/my/cert.pem

This bundles the private key and public cert in the pem.

I then ran:

echo "GET https://whatever" | ./vegeta attack -duration=2s -cert=dev-cert.p12 -key=dev-cert.12 | tee results.bin | ./vegeta report

from vegeta.

@aidylewis: Can you download the pre release binaries again and try to use it without specifying the -key flag?

from vegeta.

OK

from vegeta.

Yep, works

Downloads echo "GET https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json" | ./vegeta attack -duration=2s -cert=dev-cert.pem | tee results.bin | ./vegeta report
Requests      [total, rate]            100, 50.51
Duration      [total, attack, wait]    2.042449332s, 1.979999923s, 62.449409ms
Latencies     [mean, 50, 95, 99, max]  63.527419ms, 60.675998ms, 79.496796ms, 100.795968ms, 125.271955ms
Bytes In      [total, mean]            17500, 175.00
Bytes Out     [total, mean]            0, 0.00
Success       [ratio]                  100.00%
Status Codes  [code:count]             200:100
Error Set:

Thanks for all you help @tsenart

from vegeta.

Great! :)

from vegeta.

And sorry for taking more than a year (!!!) to fix this.

from vegeta.

Hi @tsenart

I am receiving this error on a site: "x509: certificate signed by unknown authority"

Do I need to pass a ca.pem as well?

from vegeta.

That means that site's certificate isn't signed by any of the trusted CAs in your system. If you open that site in your browser, is it trusted?

from vegeta.

Good point. No.

from vegeta.

Well, then, what is the expected behaviour for you? Would you want a flag that disables certificate verification?

from vegeta.

I was too shy to ask, but that'd be nice.

In return I could write a BBC technology blog that includes Vegeta if you were interested and I don't mind giving a recurring "tip" as a thank you for your work.

from vegeta.

Hehe, don't be shy! You didn't need to offer me such thing, but I won't say
no :-) I'll try to have something ready by tomorrow.

On Thu, 26 Nov 2015 at 19:44, aidylewis [email protected] wrote:

I was too shy to ask, but that'd be nice.

In return I could write a BBC technology blog that includes Vegeta if you
were interested and I don't mind giving a recurring "tip" as a thank you
for your work.

—
Reply to this email directly or view it on GitHub
#63 (comment).

from vegeta.

I'll ping you offline about the blog.

from vegeta.

Hi @tsenart

I cannot find your email on the internet. Mine is adrian dot lewis at bbc dot co dot uk.

from vegeta.

Even i am facing the same issue ."x509: certificate has expired or is not yet valid: current time". Tried accepting the certificates through browser to make it trusted but it didnt . Is the disable SSL verification option available in vegeta. Can you please calrify

from vegeta.

@sattishv I believe the flag that you need to disable SSL verification is insecure. Set -insecure=true and that should work for you.

from vegeta.

from vegeta.