Closed ghost closed 8 years ago
What is the exact use case?
At the BBC we have a number of web services using SSL encryption (HTTPS) which the client can only communicate through with an SSL cert. JMeter and Tsung support such certification, but I am looking for a tool where I can write tests as code (not XML). I don't know enough about Go to add it in myself, but I intend to learn Go as I eventually want to contribute to an OS load-test tool.
This functionality can be added relatively easily. I'll try to find the time to do it soon.
Many Thanks.
@AidyLewis: Please download the latest release and let me know if it solves your problem.
Tested an endpoint without cert and I received a handshake failure in the results. Tried a P12 which gave a bad cert. converted p12 => pem with this command $ openssl pkcs12 -nodes -in cert.p12 -out cert.pem Again, I received a handshake failure.
using:
$ vegeta attack -duration=10s -rate=10 -targets=targets.txt -output=results.bin -cert=dev-cert.pem
I will try another .pem.
@AidyLewis
Please include the inputs and outputs of your test runs. I suggest you run it as such:
echo "GET https://$HOSTNAME:$PORT" | vegeta attack -cert="$CERT" -duration=1s -rate=10 | tee results.bin | vegeta report
Hi,
I've attempted every conceivable way of converting a p12 to pem.
echo "GET https://api.stage.bbc.co.uk/locator/locations?order=importance&s=NW9%207NT&a=true" | vegeta attack -cert="dev-cert.pem" -duration=1s -rate=10 | tee results.bin | vegeta report 2014/09/09 17:30:56 Vegeta is attacking 1 targets in random order for 1s... 2014/09/09 17:30:57 Done! Writing results to 'stdout'... Requests [total] 10 Duration [total] 899.647219ms Latencies [mean, 50, 95, 99, max] 107.159577ms, 20.537454ms, 280.954271ms, 280.954271ms, 382.503234ms Bytes In [total, mean] 0, 0.00 Bytes Out [total, mean] 0, 0.00 Success [ratio] 0.00% Status Codes [code:count] 0:10 Error Set: Get https://api.stage.bbc.co.uk/locator/locations?order=importance&s=NW9%207NT&a=true: remote error: handshake failure
I am no expert in openssl but have you converted the certificate with the following?
openssl pkcs12 -in cert.p12 -passin pass:password -out cert.pem
I presume you are able to connect to your server with openssl
directly. Is that the case?
I have not forgotten about this, I'll re-attempt it again this afternoon.
Hi,
I have managed to curl on the dev svn repo which uses ssl
curl --cert dev-cert.pem --cacert ca.pem https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/bake-scripts/set-up
But still unable to use the vegeta cert switch:
echo "GET https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/bake-scripts/set-up" | vegeta attack -cert="dev-cert.pem" -duration=1s -rate=10 | tee results.bin | vegeta report
.... Error Set: Get https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/bake-scripts/set-up: remote error: handshake failure
Many Thanks
Aidy
Historically, there have been a number of issues with SSL code in the Go standard library. I can only attempt to solve this if your provide me with a certificate to debug with.
Hi @tsenart
It is impossible for me to provide you with a BBC cert, so the options are:
1) I create a web application that uses SSL certification and generate my own certs 2) Try to debug it myself.
I am learning Go at the moment, so I will have a go at debugging it myself (but it may take some time).
Many Thanks
Aidy
I see in your tests you have a cert.pem and a key.pem. Do I need to pass these files separately? Also do I not need a ca.pem?
What do you mean, you have to pass these files directly? Have a look at http://golang.org/pkg/crypto/tls/#LoadX509KeyPair which would be used for a server.
It looks like we need to pass the public cert file and the private key separately. I currently have them bundled in one pem.
So wouldn't we need to do: -certs public-cert.pem, private-key.pem
Which then get passed into LoadX509KeyPair function?
Aidy
vegeta does not support ssl client certs. See https://golang.org/pkg/crypto/tls/#Config
// Certificates contains one or more certificate chains
// to present to the other side of the connection.
// Server configurations must include at least one certificate.
Certificates []Certificate
but vegeta sets:
// RootCAs defines the set of root certificate authorities
// that clients use when verifying server certificates.
// If RootCAs is nil, TLS uses the host's root CA set.
RootCAs *x509.CertPool
@pascalhofmann: Contributions welcome! I'm quite busy the following weeks... :-)
Sorry, I'm very busy too. :(
I ended up deactivating the client certificate check for the load testing…
Is this just a matter of swapping the correct library in?
@aidylewis: Would you mind building this branch and trying it out?
Hi @tsenart
Brilliant. I will test it out tomorrow, while I am at work.
@aidylewis: Any luck?
I have been off sick with a cold. Will check first thing today. Many apologies.
Oh please, don't apologize for that! Get well soon! On Tue, 17 Nov 2015 at 08:33, aidylewis notifications@github.com wrote:
I have been off sick with a cold. Will check first thing today. Many apologies.
— Reply to this email directly or view it on GitHub https://github.com/tsenart/vegeta/issues/63#issuecomment-157299310.
What would you consider to be the best way to install a branch? I was thinking of go getting the master, switching to the cert branch, and then doing an install.
Made your life easier: https://github.com/tsenart/vegeta/releases/tag/v6.0.0-pre
good man
I can connect through wget, but not through vegata
$ Downloads wget --certificate=dev-cert.pem "https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json"
--2015-11-17 14:09:51-- https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json
Resolving repo.dev.bbc.co.uk... 212.58.247.19
Connecting to repo.dev.bbc.co.uk|212.58.247.19|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 175 [text/plain]
Saving to: 'project.json'
project.json 100%[=====================================================================================================================================================================>] 175 --.-KB/s in 0s
2015-11-17 14:09:51 (4.91 MB/s) - 'project.json' saved [175/175]
$ Downloads echo "GET https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json" | ./vegeta attack -duration=2s -cert=dev-cert.pem | tee results.bin | ./vegeta report
Requests [total, rate] 100, 50.51
Duration [total, attack, wait] 6.043667687s, 1.97999991s, 4.063667777s
Latencies [mean, 50, 95, 99, max] 5.004173227s, 5.019698473s, 5.847646365s, 5.982105909s, 6.009408941s
Bytes In [total, mean] 0, 0.00
Bytes Out [total, mean] 0, 0.00
Success [ratio] 0.00%
Status Codes [code:count] 0:100
Error Set:
Get https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json: remote error: handshake failure
OK, let's try to figure this out over chat: https://gitter.im/tsenart/vegeta
After @tsenart fix, I converted a p12 to a pem with the openssl command:
openssl pkcs12 -nodes -in /path/to/my/cert.p12 -out /pathto/my/cert.pem
This bundles the private key and public cert in the pem.
I then ran:
echo "GET https://whatever" | ./vegeta attack -duration=2s -cert=dev-cert.p12 -key=dev-cert.12 | tee results.bin | ./vegeta report
@aidylewis: Can you download the pre release binaries again and try to use it without specifying the -key
flag?
OK
Yep, works
Downloads echo "GET https://repo.dev.bbc.co.uk/load-test-team/cloud-load-test/trunk/project.json" | ./vegeta attack -duration=2s -cert=dev-cert.pem | tee results.bin | ./vegeta report
Requests [total, rate] 100, 50.51
Duration [total, attack, wait] 2.042449332s, 1.979999923s, 62.449409ms
Latencies [mean, 50, 95, 99, max] 63.527419ms, 60.675998ms, 79.496796ms, 100.795968ms, 125.271955ms
Bytes In [total, mean] 17500, 175.00
Bytes Out [total, mean] 0, 0.00
Success [ratio] 100.00%
Status Codes [code:count] 200:100
Error Set:
Thanks for all you help @tsenart
Great! :)
And sorry for taking more than a year (!!!) to fix this.
Hi @tsenart
I am receiving this error on a site: "x509: certificate signed by unknown authority"
Do I need to pass a ca.pem as well?
That means that site's certificate isn't signed by any of the trusted CAs in your system. If you open that site in your browser, is it trusted?
Good point. No.
Well, then, what is the expected behaviour for you? Would you want a flag that disables certificate verification?
I was too shy to ask, but that'd be nice.
In return I could write a BBC technology blog that includes Vegeta if you were interested and I don't mind giving a recurring "tip" as a thank you for your work.
Hehe, don't be shy! You didn't need to offer me such thing, but I won't say no :-) I'll try to have something ready by tomorrow.
On Thu, 26 Nov 2015 at 19:44, aidylewis notifications@github.com wrote:
I was too shy to ask, but that'd be nice.
In return I could write a BBC technology blog that includes Vegeta if you were interested and I don't mind giving a recurring "tip" as a thank you for your work.
— Reply to this email directly or view it on GitHub https://github.com/tsenart/vegeta/issues/63#issuecomment-159976067.
I'll ping you offline about the blog.
Hi @tsenart
I cannot find your email on the internet. Mine is adrian dot lewis at bbc dot co dot uk.
Even i am facing the same issue ."x509: certificate has expired or is not yet valid: current time". Tried accepting the certificates through browser to make it trusted but it didnt . Is the disable SSL verification option available in vegeta. Can you please calrify
@sattishv I believe the flag that you need to disable SSL verification is insecure
. Set -insecure=true
and that should work for you.
Thanks Will check disabling it
On Wed, Mar 2, 2022 at 9:38 PM Stephen Sun @.***> wrote:
@sattishv https://github.com/sattishv I believe the flag that you need to disable SSL verification is insecure. Set -insecure=true and that should work for you.
— Reply to this email directly, view it on GitHub https://github.com/tsenart/vegeta/issues/63#issuecomment-1057099239, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABY2VGKEKIXHHLPHIUPCAPTU56G7TANCNFSM4AT6WRKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you were mentioned.Message ID: @.***>
-- with regards,
Sattish 9940080070
I wondered if you'd ever thought of supporting ssl client certs?