FW: BUG :: Grinder 3.2b // SSLSocketFactory

Serra, Guido, VF-Group wrote:
> If the server requires to present an SSL certificate as credentials and ... The server certificate is signed with a CA which is not in the SUN default TrustStore, u need to override the SSLSocketFactory or provide a keyStore and a trustStore from the jvm command line
>  

Or you could just trust everything, which is what The Grinder does.
Refer to the URL I quote below for details.

- Phil

> The method to override this, implemented in the HTTPConnection class, doesn't seem to work properly. It relies on the default values
>
> Regards,
> G.
>
>
> www.vodafone.com
>
>
> Vodafone Group Services GmbH
> Mannesmannufer 2 ∙ D-40213 Düsseldorf
> Amtsgericht Düsseldorf, HRB 53554
> Geschäftsführung: Dr. Joachim Peters, Rainer Wallek
>
>
>
> This message and any files or documents attached are confidential and may also be legally privileged or protected by other legal rules. It is intended only for the individual or entity named. If you are not the named addressee or you have received this email in error, please inform the sender immediately, delete it from your system and do not copy or disclose it or its contents or use it for any purpose. Thank you. Please also note that transmission cannot be guaranteed to be secure or error-free.
>
> ----- Original Message -----
> From: Philip Aston <philip.aston@...>
> To: grinder-use <grinder-use@...>
> Sent: Mon Nov 09 20:44:51 2009
> Subject: Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory
>
> What is the reason you need a custom SSLSocketFactory?
>
> By default, the grinder does not validate any certificates, it trusts
> everything. See http://grinder.sourceforge.net/g3/ssl-support.html
>
> - Phil
>
> Guido Serra wrote:
>  
>> Hi All,
>> Should I open an official bug, or ... Can u have a look at ur code,
>> please?
>>
>> Regards,
>> G.
>>
>> +++++++++++++++++++++++++++++++++++++++
>>
>> Hi All,
>> There’s a bug in grinder (the grinder.sf.net) source code.
>>
>> XXXXX implemented a very nice feature to manage certificates, but it
>> doesn’t work due to the way grinder manages internally the
>> SSLSocketFactory. The code from the framework tries to override that
>> class instance.
>>
>> Internally grinder doesn’t keep the sslFactory overridden by our
>> framework.
>>
>> See lines 596,597 of file src/HTTPClient/HTTPConnection.java :
>>
>>    final SSLSocket socket = (SSLSocket)defaultSSLFactory.createSocket();
>>     sslProtocols = socket.getSupportedProtocols();
>>
>> And line 3099:
>>   
>>    sock = sslFactory.createSocket(sock, Host, Port, true);
>>
>> What scares me is this loop/comment in grinder.sf.net source code...
>>
>>  int try_count = 3;
>>   /* what a hack! This is to handle the case where the server closes
>>    * the connection but we don't realize it until we try to send
>>    * something. The problem is that we only get IOException, but
>>    * we need a finer specification (i.e. whether it's an EPIPE or
>>    * something else); I don't trust relying on the message part
>>    * of IOException (which on SunOS/Solaris gives 'Broken pipe',
>>    * but what on Windoze/Mac?).
>>    */
>>
>>   while (try_count-- > 0)
>>   {
>>       try
>>       {
>>     // get a client socket
>>
>>
>> I commented out the line were we override the SSLContext from jython code.
>> And set the certificates I trust at JVM level... I had to specify
>> directly the server certificate as trustStore.
>>
>> -Djavax.net.ssl.trustStore=env/_certificates/*dgig.jks* \
>>  -Djavax.net.ssl.trustStorePassword=vod@fone \
>>  -Djavax.net.ssl.keyStorePassword=importkey \
>>  -Djavax.net.ssl.keyStore=env/_certificates/10000000001189cc2bbbe_client2.jks
>> \
>>
>> With the DEVVodafone CA, it didn’t worked.
>>
>> NOTE! How I noticed the sslContext overwritten?
>>
>> >From the httpclient.log ... The first POST worked... While other 3
>> POST failed.
>>
>> The createSocket() function is instantiated 4 times in the
>> HTTPConnection.java ... 3 times in the loop above, and once by the
>> (SSLSocket)defaultSSLFactory .... (see enclosed file)
>>
>> I committed my mods... On trunk/ , do not trust them till XXXXX
>> reviews the code, please.
>>
>> Authentication realm: <http://85.205.240.168:8080> Subversion Repository
>> Password for 'guido.serra':
>> Adding  (bin)  env/_certificates/10000000001189cc2bbbe_client2.jks
>> Adding  (bin)  env/_certificates/DEV_TLServer_2048CAcert.truststore.jks
>> Adding  (bin)  env/_certificates/dgig.jks
>> Sending        src/com/vodafone/qa/common/httpclient.py
>> Sending        src/test.py
>>
>> Regards,
>> G.
>>
>> ------------------------------------------------------------------------
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> grinder-use mailing list
>> grinder-use@...
>> https://lists.sourceforge.net/lists/listinfo/grinder-use
>>  
>>    
>
>
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> grinder-use mailing list
> grinder-use@...
> https://lists.sourceforge.net/lists/listinfo/grinder-use
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> grinder-use mailing list
> grinder-use@...
> https://lists.sourceforge.net/lists/listinfo/grinder-use
>  


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
grinder-use mailing list
grinder-use@...
https://lists.sourceforge.net/lists/listinfo/grinder-use

Hi Phil,
With the current set of API it is not possible to override the trustStore.

We are creating internally a patch, would u like to integrate it? Should we do it?

Regards,
G.


Am 11/9/09 10:38 PM schrieb "Philip Aston" unter <philip.aston@...>:

Serra, Guido, VF-Group wrote:
> If the server requires to present an SSL certificate as credentials and ... The server certificate is signed with a CA which is not in the SUN default TrustStore, u need to override the SSLSocketFactory or provide a keyStore and a trustStore from the jvm command line
>  

Or you could just trust everything, which is what The Grinder does.
Refer to the URL I quote below for details.

- Phil

> The method to override this, implemented in the HTTPConnection class, doesn't seem to work properly. It relies on the default values
>
> Regards,
> G.
>
>
> www.vodafone.com
>
>
> Vodafone Group Services GmbH
> Mannesmannufer 2 ∙ D-40213 Düsseldorf
> Amtsgericht Düsseldorf, HRB 53554
> Geschäftsführung: Dr. Joachim Peters, Rainer Wallek
>
>
>
> This message and any files or documents attached are confidential and may also be legally privileged or protected by other legal rules. It is intended only for the individual or entity named. If you are not the named addressee or you have received this email in error, please inform the sender immediately, delete it from your system and do not copy or disclose it or its contents or use it for any purpose. Thank you. Please also note that transmission cannot be guaranteed to be secure or error-free.
>
> ----- Original Message -----
> From: Philip Aston <philip.aston@...>
> To: grinder-use <grinder-use@...>
> Sent: Mon Nov 09 20:44:51 2009
> Subject: Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory
>
> What is the reason you need a custom SSLSocketFactory?
>
> By default, the grinder does not validate any certificates, it trusts
> everything. See http://grinder.sourceforge.net/g3/ssl-support.html
>
> - Phil
>
> Guido Serra wrote:
>  
>> Hi All,
>> Should I open an official bug, or ... Can u have a look at ur code,
>> please?
>>
>> Regards,
>> G.
>>
>> +++++++++++++++++++++++++++++++++++++++
>>
>> Hi All,
>> There’s a bug in grinder (the grinder.sf.net) source code.
>>
>> XXXXX implemented a very nice feature to manage certificates, but it
>> doesn’t work due to the way grinder manages internally the
>> SSLSocketFactory. The code from the framework tries to override that
>> class instance.
>>
>> Internally grinder doesn’t keep the sslFactory overridden by our
>> framework.
>>
>> See lines 596,597 of file src/HTTPClient/HTTPConnection.java :
>>
>>    final SSLSocket socket = (SSLSocket)defaultSSLFactory.createSocket();
>>     sslProtocols = socket.getSupportedProtocols();
>>
>> And line 3099:
>>   
>>    sock = sslFactory.createSocket(sock, Host, Port, true);
>>
>> What scares me is this loop/comment in grinder.sf.net source code...
>>
>>  int try_count = 3;
>>   /* what a hack! This is to handle the case where the server closes
>>    * the connection but we don't realize it until we try to send
>>    * something. The problem is that we only get IOException, but
>>    * we need a finer specification (i.e. whether it's an EPIPE or
>>    * something else); I don't trust relying on the message part
>>    * of IOException (which on SunOS/Solaris gives 'Broken pipe',
>>    * but what on Windoze/Mac?).
>>    */
>>
>>   while (try_count-- > 0)
>>   {
>>       try
>>       {
>>     // get a client socket
>>
>>
>> I commented out the line were we override the SSLContext from jython code.
>> And set the certificates I trust at JVM level... I had to specify
>> directly the server certificate as trustStore.
>>
>> -Djavax.net.ssl.trustStore=env/_certificates/*dgig.jks* \
>>  -Djavax.net.ssl.trustStorePassword=vod@fone \
>>  -Djavax.net.ssl.keyStorePassword=importkey \
>>  -Djavax.net.ssl.keyStore=env/_certificates/10000000001189cc2bbbe_client2.jks
>> \
>>
>> With the DEVVodafone CA, it didn’t worked.
>>
>> NOTE! How I noticed the sslContext overwritten?
>>
>> >From the httpclient.log ... The first POST worked... While other 3
>> POST failed.
>>
>> The createSocket() function is instantiated 4 times in the
>> HTTPConnection.java ... 3 times in the loop above, and once by the
>> (SSLSocket)defaultSSLFactory .... (see enclosed file)
>>
>> I committed my mods... On trunk/ , do not trust them till XXXXX
>> reviews the code, please.
>>
>> Authentication realm: <http://85.205.240.168:8080> Subversion Repository
>> Password for 'guido.serra':
>> Adding  (bin)  env/_certificates/10000000001189cc2bbbe_client2.jks
>> Adding  (bin)  env/_certificates/DEV_TLServer_2048CAcert.truststore.jks
>> Adding  (bin)  env/_certificates/dgig.jks
>> Sending        src/com/vodafone/qa/common/httpclient.py
>> Sending        src/test.py
>>
>> Regards,
>> G.
>>
>> ------------------------------------------------------------------------
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> grinder-use mailing list
>> grinder-use@...
>> https://lists.sourceforge.net/lists/listinfo/grinder-use
>>  
>>    
>
>

The current implementation will not reject any connections on the basis of trust. There is no requirement to provide trust certificates.

Can you explain why you need to do so?

- Phil

Guido Serra wrote:

Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory Hi Phil,
With the current set of API it is not possible to override the trustStore.
 
We are creating internally a patch, would u like to integrate it? Should we do it?
 
Regards,
G.
 
 
Am 11/9/09 10:38 PM schrieb "Philip Aston" unter <philip.aston@...>:
 
  

Serra, Guido, VF-Group wrote:
> If the server requires to present an SSL certificate as credentials and ... The server certificate is signed with a CA which is not in the SUN default TrustStore, u need to override the SSLSocketFactory or provide a keyStore and a trustStore from the jvm command line
>  
 
Or you could just trust everything, which is what The Grinder does.
Refer to the URL I quote below for details.
 
- Phil
 
> The method to override this, implemented in the HTTPConnection class, doesn't seem to work properly. It relies on the default values
>
> Regards,
> G.
>
>
> www.vodafone.com <http://www.vodafone.com>
>
>
> Vodafone Group Services GmbH
> Mannesmannufer 2 ∙ D-40213 Düsseldorf
> Amtsgericht Düsseldorf, HRB 53554
> Geschäftsführung: Dr. Joachim Peters, Rainer Wallek
>
>
>
> This message and any files or documents attached are confidential and may also be legally privileged or protected by other legal rules. It is intended only for the individual or entity named. If you are not the named addressee or you have received this email in error, please inform the sender immediately, delete it from your system and do not copy or disclose it or its contents or use it for any purpose. Thank you. Please also note that transmission cannot be guaranteed to be secure or error-free.
>
> ----- Original Message -----
> From: Philip Aston <philip.aston@...>
> To: grinder-use <grinder-use@...>
> Sent: Mon Nov 09 20:44:51 2009
> Subject: Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory
>
> What is the reason you need a custom SSLSocketFactory?
>
> By default, the grinder does not validate any certificates, it trusts
> everything. See http://grinder.sourceforge.net/g3/ssl-support.html
>
> - Phil
>
> Guido Serra wrote:
>  
>> Hi All,
>> Should I open an official bug, or ... Can u have a look at ur code,
>> please?
>>
>> Regards,
>> G.
>>
>> +++++++++++++++++++++++++++++++++++++++
>>
>> Hi All,
>> There’s a bug in grinder (the grinder.sf.net) source code.
>>
>> XXXXX implemented a very nice feature to manage certificates, but it
>> doesn’t work due to the way grinder manages internally the
>> SSLSocketFactory. The code from the framework tries to override that
>> class instance.
>>
>> Internally grinder doesn’t keep the sslFactory overridden by our
>> framework.
>>
>> See lines 596,597 of file src/HTTPClient/HTTPConnection.java :
>>
>>    final SSLSocket socket = (SSLSocket)defaultSSLFactory.createSocket();
>>     sslProtocols = socket.getSupportedProtocols();
>>
>> And line 3099:
>>   
>>    sock = sslFactory.createSocket(sock, Host, Port, true);
>>
>> What scares me is this loop/comment in grinder.sf.net source code...
>>
>>  int try_count = 3;
>>   /* what a hack! This is to handle the case where the server closes
>>    * the connection but we don't realize it until we try to send
>>    * something. The problem is that we only get IOException, but
>>    * we need a finer specification (i.e. whether it's an EPIPE or
>>    * something else); I don't trust relying on the message part
>>    * of IOException (which on SunOS/Solaris gives 'Broken pipe',
>>    * but what on Windoze/Mac?).
>>    */
>>
>>   while (try_count-- > 0)
>>   {
>>       try
>>       {
>>     // get a client socket
>>
>>
>> I commented out the line were we override the SSLContext from jython code.
>> And set the certificates I trust at JVM level... I had to specify
>> directly the server certificate as trustStore.
>>
>> -Djavax.net.ssl.trustStore=env/_certificates/*dgig.jks* \
>>  -Djavax.net.ssl.trustStorePassword=vod@fone \
>>  -Djavax.net.ssl.keyStorePassword=importkey \
>>  -Djavax.net.ssl.keyStore=env/_certificates/10000000001189cc2bbbe_client2.jks
>> \
>>
>> With the DEVVodafone CA, it didn’t worked.
>>
>> NOTE! How I noticed the sslContext overwritten?
>>
>> >From the httpclient.log ... The first POST worked... While other 3
>> POST failed.
>>
>> The createSocket() function is instantiated 4 times in the
>> HTTPConnection.java ... 3 times in the loop above, and once by the
>> (SSLSocket)defaultSSLFactory .... (see enclosed file)
>>
>> I committed my mods... On trunk/ , do not trust them till XXXXX
>> reviews the code, please.
>>
>> Authentication realm: <http://85.205.240.168:8080> Subversion Repository
>> Password for 'guido.serra':
>> Adding  (bin)  env/_certificates/10000000001189cc2bbbe_client2.jks
>> Adding  (bin)  env/_certificates/DEV_TLServer_2048CAcert.truststore.jks
>> Adding  (bin)  env/_certificates/dgig.jks
>> Sending        src/com/vodafone/qa/common/httpclient.py
>> Sending        src/test.py
>>
>> Regards,
>> G.
>>
>> ------------------------------------------------------------------------
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> grinder-use mailing list
>> grinder-use@...
>> https://lists.sourceforge.net/lists/listinfo/grinder-use
>>  
>>    
>
>
 

---

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

---

_______________________________________________
grinder-use mailing list
grinder-use@...
https://lists.sourceforge.net/lists/listinfo/grinder-use

Hi Phil,
If ur target is using a certificate which is “home signed”, u need to import his CA.
Java mechanism to do this is the trustStore. We need to be able to override it.

Regards,
G.


Am 11/26/09 11:05 AM schrieb "Philip Aston" unter <philip.aston@...>:

The current implementation will not reject any connections on the basis of trust. There is no requirement to provide trust certificates.

Can you explain why you need to do so?

- Phil

Guido Serra wrote:

Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory Hi Phil,
With the current set of API it is not possible to override the trustStore.
 
We are creating internally a patch, would u like to integrate it? Should we do it?
 
Regards,
G.
 
 
Am 11/9/09 10:38 PM schrieb "Philip Aston" unter <philip.aston@...>:
 
  

Serra, Guido, VF-Group wrote:
> If the server requires to present an SSL certificate as credentials and ... The server certificate is signed with a CA which is not in the SUN default TrustStore, u need to override the SSLSocketFactory or provide a keyStore and a trustStore from the jvm command line
>  
 
Or you could just trust everything, which is what The Grinder does.
Refer to the URL I quote below for details.
 
- Phil
 
> The method to override this, implemented in the HTTPConnection class, doesn't seem to work properly. It relies on the default values
>
> Regards,
> G.
>
>
> www.vodafone.com <http://www.vodafone.com>
>
>
> Vodafone Group Services GmbH
> Mannesmannufer 2 ∙ D-40213 Düsseldorf
> Amtsgericht Düsseldorf, HRB 53554
> Geschäftsführung: Dr. Joachim Peters, Rainer Wallek
>
>
>
> This message and any files or documents attached are confidential and may also be legally privileged or protected by other legal rules. It is intended only for the individual or entity named. If you are not the named addressee or you have received this email in error, please inform the sender immediately, delete it from your system and do not copy or disclose it or its contents or use it for any purpose. Thank you. Please also note that transmission cannot be guaranteed to be secure or error-free.
>
> ----- Original Message -----
> From: Philip Aston <philip.aston@...>
> To: grinder-use <grinder-use@...>
> Sent: Mon Nov 09 20:44:51 2009
> Subject: Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory
>
> What is the reason you need a custom SSLSocketFactory?
>
> By default, the grinder does not validate any certificates, it trusts
> everything. See http://grinder.sourceforge.net/g3/ssl-support.html
>
> - Phil
>
> Guido Serra wrote:
>  
>> Hi All,
>> Should I open an official bug, or ... Can u have a look at ur code,
>> please?
>>
>> Regards,
>> G.
>>
>> +++++++++++++++++++++++++++++++++++++++
>>
>> Hi All,
>> There’s a bug in grinder (the grinder.sf.net) source code.
>>
>> XXXXX implemented a very nice feature to manage certificates, but it
>> doesn’t work due to the way grinder manages internally the
>> SSLSocketFactory. The code from the framework tries to override that
>> class instance.
>>
>> Internally grinder doesn’t keep the sslFactory overridden by our
>> framework.
>>
>> See lines 596,597 of file src/HTTPClient/HTTPConnection.java :
>>
>>    final SSLSocket socket = (SSLSocket)defaultSSLFactory.createSocket();
>>     sslProtocols = socket.getSupportedProtocols();
>>
>> And line 3099:
>>   
>>    sock = sslFactory.createSocket(sock, Host, Port, true);
>>
>> What scares me is this loop/comment in grinder.sf.net source code...
>>
>>  int try_count = 3;
>>   /* what a hack! This is to handle the case where the server closes
>>    * the connection but we don't realize it until we try to send
>>    * something. The problem is that we only get IOException, but
>>    * we need a finer specification (i.e. whether it's an EPIPE or
>>    * something else); I don't trust relying on the message part
>>    * of IOException (which on SunOS/Solaris gives 'Broken pipe',
>>    * but what on Windoze/Mac?).
>>    */
>>
>>   while (try_count-- > 0)
>>   {
>>       try
>>       {
>>     // get a client socket
>>
>>
>> I commented out the line were we override the SSLContext from jython code.
>> And set the certificates I trust at JVM level... I had to specify
>> directly the server certificate as trustStore.
>>
>> -Djavax.net.ssl.trustStore=env/_certificates/*dgig.jks* \
>>  -Djavax.net.ssl.trustStorePassword=vod@fone \
>>  -Djavax.net.ssl.keyStorePassword=importkey \
>>  -Djavax.net.ssl.keyStore=env/_certificates/10000000001189cc2bbbe_client2.jks
>> \
>>
>> With the DEVVodafone CA, it didn’t worked.
>>
>> NOTE! How I noticed the sslContext overwritten?
>>
>> >From the httpclient.log ... The first POST worked... While other 3
>> POST failed.
>>
>> The createSocket() function is instantiated 4 times in the
>> HTTPConnection.java ... 3 times in the loop above, and once by the
>> (SSLSocket)defaultSSLFactory .... (see enclosed file)
>>
>> I committed my mods... On trunk/ , do not trust them till XXXXX
>> reviews the code, please.
>>
>> Authentication realm: <http://85.205.240.168:8080> Subversion Repository
>> Password for 'guido.serra':
>> Adding  (bin)  env/_certificates/10000000001189cc2bbbe_client2.jks
>> Adding  (bin)  env/_certificates/DEV_TLServer_2048CAcert.truststore.jks
>> Adding  (bin)  env/_certificates/dgig.jks
>> Sending        src/com/vodafone/qa/common/httpclient.py
>> Sending        src/test.py
>>
>> Regards,
>> G.
>>
>> ------------------------------------------------------------------------
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> grinder-use mailing list
>> grinder-use@...
>> https://lists.sourceforge.net/lists/listinfo/grinder-use
>>  
>>    
>

You do not need to do this. The Grinder will automatically trust your server's certificate.

- Phil

Guido Serra wrote:

Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory Hi Phil,
If ur target is using a certificate which is “home signed”, u need to import his CA.
Java mechanism to do this is the trustStore. We need to be able to override it.
 
Regards,
G.
 
 
Am 11/26/09 11:05 AM schrieb "Philip Aston" unter <philip.aston@...>:
 
  

The current implementation will not reject any connections on the basis of trust. There is no requirement to provide trust certificates.
 
Can you explain why you need to do so?
 
- Phil
 
Guido Serra wrote:
  

Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory Hi Phil,
With the current set of API it is not possible to override the trustStore.
 
We are creating internally a patch, would u like to integrate it? Should we do it?
 
Regards,
G.
 
 
Am 11/9/09 10:38 PM schrieb "Philip Aston" unter <philip.aston@...>:
 
  
  

Serra, Guido, VF-Group wrote:
> If the server requires to present an SSL certificate as credentials and ... The server certificate is signed with a CA which is not in the SUN default TrustStore, u need to override the SSLSocketFactory or provide a keyStore and a trustStore from the jvm command line
>  
 
Or you could just trust everything, which is what The Grinder does.
Refer to the URL I quote below for details.
 
- Phil
 
> The method to override this, implemented in the HTTPConnection class, doesn't seem to work properly. It relies on the default values
>
> Regards,
> G.
>
>
> www.vodafone.com <http://www.vodafone.com>  <http://www.vodafone.com>
>
>
> Vodafone Group Services GmbH
> Mannesmannufer 2 ∙ D-40213 Düsseldorf
> Amtsgericht Düsseldorf, HRB 53554
> Geschäftsführung: Dr. Joachim Peters, Rainer Wallek
>
>
>
> This message and any files or documents attached are confidential and may also be legally privileged or protected by other legal rules. It is intended only for the individual or entity named. If you are not the named addressee or you have received this email in error, please inform the sender immediately, delete it from your system and do not copy or disclose it or its contents or use it for any purpose. Thank you. Please also note that transmission cannot be guaranteed to be secure or error-free.
>
> ----- Original Message -----
> From: Philip Aston <philip.aston@...>
> To: grinder-use <grinder-use@...>
> Sent: Mon Nov 09 20:44:51 2009
> Subject: Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory
>
> What is the reason you need a custom SSLSocketFactory?
>
> By default, the grinder does not validate any certificates, it trusts
> everything. See http://grinder.sourceforge.net/g3/ssl-support.html
>
> - Phil
>
> Guido Serra wrote:
>  
>> Hi All,
>> Should I open an official bug, or ... Can u have a look at ur code,
>> please?
>>
>> Regards,
>> G.
>>
>> +++++++++++++++++++++++++++++++++++++++
>>
>> Hi All,
>> There’s a bug in grinder (the grinder.sf.net) source code.
>>
>> XXXXX implemented a very nice feature to manage certificates, but it
>> doesn’t work due to the way grinder manages internally the
>> SSLSocketFactory. The code from the framework tries to override that
>> class instance.
>>
>> Internally grinder doesn’t keep the sslFactory overridden by our
>> framework.
>>
>> See lines 596,597 of file src/HTTPClient/HTTPConnection.java :
>>
>>    final SSLSocket socket = (SSLSocket)defaultSSLFactory.createSocket();
>>     sslProtocols = socket.getSupportedProtocols();
>>
>> And line 3099:
>>   
>>    sock = sslFactory.createSocket(sock, Host, Port, true);
>>
>> What scares me is this loop/comment in grinder.sf.net source code...
>>
>>  int try_count = 3;
>>   /* what a hack! This is to handle the case where the server closes
>>    * the connection but we don't realize it until we try to send
>>    * something. The problem is that we only get IOException, but
>>    * we need a finer specification (i.e. whether it's an EPIPE or
>>    * something else); I don't trust relying on the message part
>>    * of IOException (which on SunOS/Solaris gives 'Broken pipe',
>>    * but what on Windoze/Mac?).
>>    */
>>
>>   while (try_count-- > 0)
>>   {
>>       try
>>       {
>>     // get a client socket
>>
>>
>> I commented out the line were we override the SSLContext from jython code.
>> And set the certificates I trust at JVM level... I had to specify
>> directly the server certificate as trustStore.
>>
>> -Djavax.net.ssl.trustStore=env/_certificates/*dgig.jks* \
>>  -Djavax.net.ssl.trustStorePassword=vod@fone \
>>  -Djavax.net.ssl.keyStorePassword=importkey \
>>  -Djavax.net.ssl.keyStore=env/_certificates/10000000001189cc2bbbe_client2.jks
>> \
>>
>> With the DEVVodafone CA, it didn’t worked.
>>
>> NOTE! How I noticed the sslContext overwritten?
>>
>> >From the httpclient.log ... The first POST worked... While other 3
>> POST failed.
>>
>> The createSocket() function is instantiated 4 times in the
>> HTTPConnection.java ... 3 times in the loop above, and once by the
>> (SSLSocket)defaultSSLFactory .... (see enclosed file)
>>
>> I committed my mods... On trunk/ , do not trust them till XXXXX
>> reviews the code, please.
>>
>> Authentication realm: <http://85.205.240.168:8080> Subversion Repository
>> Password for 'guido.serra':
>> Adding  (bin)  env/_certificates/10000000001189cc2bbbe_client2.jks
>> Adding  (bin)  env/_certificates/DEV_TLServer_2048CAcert.truststore.jks
>> Adding  (bin)  env/_certificates/dgig.jks
>> Sending        src/com/vodafone/qa/common/httpclient.py
>> Sending        src/test.py
>>
>> Regards,
>> G.
>>
>> ------------------------------------------------------------------------
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> grinder-use mailing list
>> grinder-use@...
>> https://lists.sourceforge.net/lists/listinfo/grinder-use
>>  
>>    
>

---

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Hi Phil,
It looks like it does not.

Did u overrided the CA Trust mechanism? That’s the only way u could have achieved that...

Regards,
G.


Am 11/26/09 11:31 AM schrieb "Philip Aston" unter <philip.aston@...>:

You do not need to do this. The Grinder will automatically trust your server's certificate.

- Phil

Guido Serra wrote:

Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory Hi Phil,
If ur target is using a certificate which is “home signed”, u need to import his CA.
Java mechanism to do this is the trustStore. We need to be able to override it.
 
Regards,
G.
 
 
Am 11/26/09 11:05 AM schrieb "Philip Aston" unter <philip.aston@...>:
 
  

The current implementation will not reject any connections on the basis of trust. There is no requirement to provide trust certificates.
 
Can you explain why you need to do so?
 
- Phil
 
Guido Serra wrote:
  

Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory Hi Phil,
With the current set of API it is not possible to override the trustStore.
 
We are creating internally a patch, would u like to integrate it? Should we do it?
 
Regards,
G.
 
 
Am 11/9/09 10:38 PM schrieb "Philip Aston" unter <philip.aston@...>:
 
  
  

Serra, Guido, VF-Group wrote:
> If the server requires to present an SSL certificate as credentials and ... The server certificate is signed with a CA which is not in the SUN default TrustStore, u need to override the SSLSocketFactory or provide a keyStore and a trustStore from the jvm command line
>  
 
Or you could just trust everything, which is what The Grinder does.
Refer to the URL I quote below for details.
 
- Phil
 
> The method to override this, implemented in the HTTPConnection class, doesn't seem to work properly. It relies on the default values
>
> Regards,
> G.
>
>
> www.vodafone.com <http://www.vodafone.com>  <http://www.vodafone.com>
>
>
> Vodafone Group Services GmbH
> Mannesmannufer 2 ∙ D-40213 Düsseldorf
> Amtsgericht Düsseldorf, HRB 53554
> Geschäftsführung: Dr. Joachim Peters, Rainer Wallek
>
>
>
> This message and any files or documents attached are confidential and may also be legally privileged or protected by other legal rules. It is intended only for the individual or entity named. If you are not the named addressee or you have received this email in error, please inform the sender immediately, delete it from your system and do not copy or disclose it or its contents or use it for any purpose. Thank you. Please also note that transmission cannot be guaranteed to be secure or error-free.
>
> ----- Original Message -----
> From: Philip Aston <philip.aston@...>
> To: grinder-use <grinder-use@...>
> Sent: Mon Nov 09 20:44:51 2009
> Subject: Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory
>
> What is the reason you need a custom SSLSocketFactory?
>
> By default, the grinder does not validate any certificates, it trusts
> everything. See http://grinder.sourceforge.net/g3/ssl-support.html
>
> - Phil
>
> Guido Serra wrote:
>  
>> Hi All,
>> Should I open an official bug, or ... Can u have a look at ur code,
>> please?
>>
>> Regards,
>> G.
>>
>> +++++++++++++++++++++++++++++++++++++++
>>
>> Hi All,
>> There’s a bug in grinder (the grinder.sf.net) source code.
>>
>> XXXXX implemented a very nice feature to manage certificates, but it
>> doesn’t work due to the way grinder manages internally the
>> SSLSocketFactory. The code from the framework tries to override that
>> class instance.
>>
>> Internally grinder doesn’t keep the sslFactory overridden by our
>> framework.
>>
>> See lines 596,597 of file src/HTTPClient/HTTPConnection.java :
>>
>>    final SSLSocket socket = (SSLSocket)defaultSSLFactory.createSocket();
>>     sslProtocols = socket.getSupportedProtocols();
>>
>> And line 3099:
>>   
>>    sock = sslFactory.createSocket(sock, Host, Port, true);
>>
>> What scares me is this loop/comment in grinder.sf.net source code...
>>
>>  int try_count = 3;
>>   /* what a hack! This is to handle the case where the server closes
>>    * the connection but we don't realize it until we try to send
>>    * something. The problem is that we only get IOException, but
>>    * we need a finer specification (i.e. whether it's an EPIPE or
>>    * something else); I don't trust relying on the message part
>>    * of IOException (which on SunOS/Solaris gives 'Broken pipe',
>>    * but what on Windoze/Mac?).
>>    */
>>
>>   while (try_count-- > 0)
>>   {
>>       try
>>       {
>>     // get a client socket
>>
>>
>> I commented out the line were we override the SSLContext from jython code.
>> And set the certificates I trust at JVM level... I had to specify
>> directly the server certificate as trustStore.
>>
>> -Djavax.net.ssl.trustStore=env/_certificates/*dgig.jks* \
>>  -Djavax.net.ssl.trustStorePassword=vod@fone \
>>  -Djavax.net.ssl.keyStorePassword=importkey \
>>  -Djavax.net.ssl.keyStore=env/_certificates/10000000001189cc2bbbe_client2.jks
>> \
>>
>> With the DEVVodafone CA, it didn’t worked.
>>
>> NOTE! How I noticed the sslContext overwritten?
>>
>> >From the httpclient.log ... The first POST worked... While other 3
>> POST failed.
>>
>> The createSocket() function is instantiated 4 times in the
>> HTTPConnection.java ... 3 times in the loop above, and once by the
>> (SSLSocket)defaultSSLFactory .... (see enclosed file)
>>
>> I committed my mods... On trunk/ , do not trust them till XXXXX
>> reviews the code, please.
>>
>> Authentication realm: <http://85.205.240.168:8080> Subversion Repository
>> Password for 'guido.serra':
>> Adding  (bin)  env/_certificates/10000000001189cc2bbbe_client2.jks
>> Adding  (bin)  env/_certificates/DEV_TLServer_2048CAcert.truststore.jks
>> Adding  (bin)  env/_certificates/dgig.jks
>> Sending        src/com/vodafone/qa/common/httpclient.py
>> Sending        src/test.py
>>
>> Regards,
>> G.
>>

Yes.

http://grinder.svn.sourceforge.net/viewvc/grinder/trunk/source/src/net/grinder/util/InsecureSSLContextFactory.java?view=markup

Guido Serra wrote:

Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory Hi Phil,
It looks like it does not.
 
Did u overrided the CA Trust mechanism? That’s the only way u could have achieved that...
 
Regards,
G.
 
 
Am 11/26/09 11:31 AM schrieb "Philip Aston" unter <philip.aston@...>:
 
  

You do not need to do this. The Grinder will automatically trust your server's certificate.
 
- Phil
 
Guido Serra wrote:
  

Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory Hi Phil,
If ur target is using a certificate which is “home signed”, u need to import his CA.
Java mechanism to do this is the trustStore. We need to be able to override it.
 
Regards,
G.
 
 
Am 11/26/09 11:05 AM schrieb "Philip Aston" unter <philip.aston@...>:
 
  
  

The current implementation will not reject any connections on the basis of trust. There is no requirement to provide trust certificates.
 
Can you explain why you need to do so?
 
- Phil
 
Guido Serra wrote:
  
  

Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory Hi Phil,
With the current set of API it is not possible to override the trustStore.
 
We are creating internally a patch, would u like to integrate it? Should we do it?
 
Regards,
G.
 
 
Am 11/9/09 10:38 PM schrieb "Philip Aston" unter <philip.aston@...>:
 
  
  
  

Serra, Guido, VF-Group wrote:
> If the server requires to present an SSL certificate as credentials and ... The server certificate is signed with a CA which is not in the SUN default TrustStore, u need to override the SSLSocketFactory or provide a keyStore and a trustStore from the jvm command line
>  
 
Or you could just trust everything, which is what The Grinder does.
Refer to the URL I quote below for details.
 
- Phil
 
> The method to override this, implemented in the HTTPConnection class, doesn't seem to work properly. It relies on the default values
>
> Regards,
> G.
>
>
> www.vodafone.com <http://www.vodafone.com>  <http://www.vodafone.com>  <http://www.vodafone.com>
>
>
> Vodafone Group Services GmbH
> Mannesmannufer 2 ∙ D-40213 Düsseldorf
> Amtsgericht Düsseldorf, HRB 53554
> Geschäftsführung: Dr. Joachim Peters, Rainer Wallek
>
>
>
> This message and any files or documents attached are confidential and may also be legally privileged or protected by other legal rules. It is intended only for the individual or entity named. If you are not the named addressee or you have received this email in error, please inform the sender immediately, delete it from your system and do not copy or disclose it or its contents or use it for any purpose. Thank you. Please also note that transmission cannot be guaranteed to be secure or error-free.
>
> ----- Original Message -----
> From: Philip Aston <philip.aston@...>
> To: grinder-use <grinder-use@...>
> Sent: Mon Nov 09 20:44:51 2009
> Subject: Re: [Grinder-use] FW: BUG :: Grinder 3.2b // SSLSocketFactory
>
> What is the reason you need a custom SSLSocketFactory?
>
> By default, the grinder does not validate any certificates, it trusts
> everything. See http://grinder.sourceforge.net/g3/ssl-support.html
>
> - Phil
>
> Guido Serra wrote:
>  
>> Hi All,
>> Should I open an official bug, or ... Can u have a look at ur code,
>> please?
>>
>> Regards,
>> G.
>>
>> +++++++++++++++++++++++++++++++++++++++
>>
>> Hi All,
>> There’s a bug in grinder (the grinder.sf.net) source code.
>>
>> XXXXX implemented a very nice feature to manage certificates, but it
>> doesn’t work due to the way grinder manages internally the
>> SSLSocketFactory. The code from the framework tries to override that
>> class instance.
>>
>> Internally grinder doesn’t keep the sslFactory overridden by our
>> framework.
>>
>> See lines 596,597 of file src/HTTPClient/HTTPConnection.java :
>>
>>    final SSLSocket socket = (SSLSocket)defaultSSLFactory.createSocket();
>>     sslProtocols = socket.getSupportedProtocols();
>>
>> And line 3099:
>>   
>>    sock = sslFactory.createSocket(sock, Host, Port, true);
>>
>> What scares me is this loop/comment in grinder.sf.net source code...
>>
>>  int try_count = 3;
>>   /* what a hack! This is to handle the case where the server closes
>>    * the connection but we don't realize it until we try to send
>>    * something. The problem is that we only get IOException, but
>>    * we need a finer specification (i.e. whether it's an EPIPE or
>>    * something else); I don't trust relying on the message part
>>    * of IOException (which on SunOS/Solaris gives 'Broken pipe',
>>    * but what on Windoze/Mac?).
>>    */
>>
>>   while (try_count-- > 0)
>>   {
>>       try
>>       {
>>     // get a client socket
>>
>>
>> I commented out the line were we override the SSLContext from jython code.
>> And set the certificates I trust at JVM level... I had to specify
>> directly the server certificate as trustStore.
>>
>> -Djavax.net.ssl.trustStore=env/_certificates/*dgig.jks* \
>>  -Djavax.net.ssl.trustStorePassword=vod@fone \
>>  -Djavax.net.ssl.keyStorePassword=importkey \
>>  -Djavax.net.ssl.keyStore=env/_certificates/10000000001189cc2bbbe_client2.jks
>> \
>>
>> With the DEVVodafone CA, it didn’t worked.
>>
>> NOTE! How I noticed the sslContext overwritten?
>>
>> >From the httpclient.log ... The first POST worked... While other 3
>> POST failed.
>>
>> The createSocket() function is instantiated 4 times in the
>> HTTPConnection.java ... 3 times in the loop above, and once by the
>> (SSLSocket)defaultSSLFactory .... (see enclosed file)
>>
>> I committed my mods... On trunk/ , do not trust them till XXXXX
>> reviews the code, please.
>>
>> Authentication realm: <http://85.205.240.168:8080> Subversion Repository
>> Password for 'guido.serra':
>> Adding  (bin)  env/_certificates/10000000001189cc2bbbe_client2.jks
>> Adding  (bin)  env/_certificates/DEV_TLServer_2048CAcert.truststore.jks
>> Adding  (bin)  env/_certificates/dgig.jks
>> Sending        src/com/vodafone/qa/common/httpclient.py
>> Sending        src/test.py
>>
>> Regards,
>> G.
>>

---

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

---

_______________________________________________
grinder-use mailing list
grinder-use@...
https://lists.sourceforge.net/lists/listinfo/grinder-use