CODEWITHSUNDEEP
javasslssl-certificategatlingsni
victor gallet
victor gallet

Reputation: 1898

How to disable SSL hostname verification with Gatling and SSL two way

I'm trying to create a Gatling test with SSL two way but I'm not able to disable hostname verification. I'm using Gatling 2.3. Here's my Gatling configuration :

ssl {
  keyStore {
    type = "JKS"
    file = "keystore.jks"
    password = "changeit"
    #algorithm = ""
  }
  trustStore {
    type = "JKS"
    file = "truststore.jks"
    password = "changeit"
    #algorithm = ""
  }
}
ahc {
  acceptAnyCertificate = true
  ....
}

I have also added this system properties at the beginning of my App

System.setProperty("jdk.tls.allowUnsafeServerCertChange", "true")
System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true")

I can see that my keystore and trutstore are correctly used but I keep having this issue :

java.security.cert.CertificateException: No subject alternative DNS name matching <my_dns> found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:204)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:95)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1493)
... 28 common frames omitted

Upvotes: 2

Views: 8931

Answers (2)

dhd
dhd

Reputation: 48

If someone is still looking for a solution: this feature has been implemented in v3.0 of Gatling.

The relevant configuration parameters are:

ahc {
    enableSni = true                                    # When set to true, enable Server Name indication (SNI)
    enableHostnameVerification = false                  # When set to true, enable hostname verification: SSLEngine.setHttpsEndpointIdentificationAlgorithm("HTTPS")
}

Upvotes: 1

Eug&#232;ne Adell
Eug&#232;ne Adell

Reputation: 3174

From the Gatling SSL documentation you could try disabling SNI (-Djsse.enableSNIExtension=false). However, if you really need SNI (SSL virtual hosting) you don't want to do that, and you need to code your own HostNameVerifier although I have no idea how you can include that in Gatling.

Upvotes: 1

Related Questions