Self Signed Keystore configuration , without have to provide TrustStore

[Vividh S V]

HTTPS request throws the following error.

Wrapped by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targe

Error is because I use self signed certificate. I understand this will be solved by providing the TrustStore of my servers. However the documentation says (http://gatling.io/docs/2.1.4/http/http_ssl.html) 

"Default Gatling TrustStore is very permissive and doesn't validate certificates, meaning that it works out of the box with self-signed certificates."

Can I run a Test with outhaving to provide TrustStore...?  Jmeter accepts self signed certs without having to provide TrustStore.!

Am I miisng any thing in my configuration..?

acceptAnyCertificate = true

httpsEnabledProtocols = "TLSv1.2"

    ssl {

      trustStore {

        #type = ""      # Type of SSLContext's TrustManagers store

        #file = ""      # Location of SSLContext's TrustManagers store

        #password = ""  # Password for SSLContext's TrustManagers store

        #algorithm = "" # Algorithm used by SSLContext's TrustManagers store

      }

      keyStore {

        type = "JKS"      # Type of SSLContext's KeyManagers store

        file = "C:/Vividh/keys/lp3_ret.jks"      # Location of SSLContext's KeyManagers store

        password = "synth"  # Password for SSLContext's KeyManagers store

        #algorithm = "" # Algorithm used SSLContext's KeyManagers store

      }

    }

[Stéphane LANDELLE]

Is your certificate self-signed, or signed with a private CA?

Are you sure your issue is not that your server doesn't properly implement SNI, so you should disable it?

Stéphane Landelle

Lead developer

slan...@gatling.io

--
You received this message because you are subscribed to the Google Groups "Gatling User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gatling+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Vividh S V]

Certificate is Self-Signed.

Don't get me wrong here, when it works with Jmeter the SNI should be implement correctly right..?

[Stéphane LANDELLE]

I just ran this test, that targets a self signed certificate, both with 2.1.4 and current master:

val httpProtocol = http

  .baseURL("https://support.excilys.com")

  .acceptCharsetHeader("ISO-8859-1,utf-8;q=0.7,*;q=0.7")

  .acceptHeader("text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")

  .acceptLanguageHeader("fr,fr")

  .userAgentHeader("Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1")

val selfSigned = scenario("selfSigned")

  .exec(http("selfSigned").get("/"))

setUp(selfSigned.inject(atOnceUsers(1))).protocols(httpProtocol)

Everything is fine.

THEN, if I turn acceptAnyCertificate to false in gatling.conf, I indeed get errors.

Regarding JMeter, I can't tell. They could be disabling SNI by default.

Stéphane Landelle

Lead developer

slan...@gatling.io

[Vividh S V]

OK, after digging around in the Jmeter configurations I found -Djsse.enableSNIExtension=false was set during the startup.

Can I disable SNIExtension in Gatling by set the above flag using Intellij Maven plug in.

[Stéphane LANDELLE]

OK, after digging around in the Jmeter configurations I found -Djsse.enableSNIExtension=false was set during the startup.

As expected.

We've been considering disabling SNI by default: https://github.com/gatling/gatling/issues/2551

But the feedback from the community we had so far was that the information that the SNI set up wasn't correct was interesting.

Can I disable SNIExtension in Gatling by set the above flag using Intellij Maven plug in.

Of course. In the Maven.Runner section.

[Santhosh GS]

@Vividh were able to get around this problem by disabling SNI?  

@Stephane I disabled the SNI by passing ( -Djsse.enableSNIExtension=false ) as system property. It did not work. I get this error

Wrapped by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_65]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_65]