Locust: FastHttpUser doesn't use the SNI TLS extension

Created on 30 Apr 2020  Â·  7Comments  Â·  Source: locustio/locust

Describe the bug

Some web server/reverse proxy require the client to announce which hostname it wants to connect to. It's done via the Server Name Indication TLS extension. This allow sharing the same public IP between multiple hostnames. locust.io for example uses Cloudflare, which requires SNI in this setup.

Unlike HttpUser, FastHttpUser doesn't send the SNI extension, making all TLS connection to SNI-requiring servers fail.

Users are warned that FastHttpUser doesn't necessarily implement the same feature set as HttpUser, but geventhttpclient, used by FastHttpUser does support SNI in the included version.

Expected behavior

The FastHttpUser client send the SNI extension as host, and the TLS connection succeed.

Actual behavior

The following error is obtained and every TLS connection
SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1108)')

It can confirmed by capturing the TLS Client Hello network packet.

Steps to reproduce

locustfile.py : 

from locust import task, between
from locust.contrib.fasthttp import FastHttpUser

class ApiUser(FastHttpUser):
    wait_time = between(1.0, 8.0)

    @task(1)
    def index(self):
        self.client.get("/")

Execute
% locust -H 'https://locust.io' --headless

Environment

  • OS: Archlinux up to date as of 2020-04-30
  • Python version: 3.8.2
  • Locust version: git master @5cad1cb5921ff84298d357e0a5ba42bdc0390acc
  • Locust command line that you ran: locust -H 'https://locust.io' --headless
bug
Source
picture gileri
👍1

Most helpful comment

Found the same issue today, resolved this locally by changing the ssl_options to ssl_context_factory (the combination doesn't seem to be allowed) in 'locust/contrib/fasthttp.py'

```
self.client = LocustUserAgent(
cookiejar=self.cookiejar,
ssl_context_factory=gevent.ssl.create_default_context,
**kwargs
)
````

Only this way, it seem to trigger to set the server_hostname, see
if ssl_context_factory is not None: requested_hostname = headers.get('host', self.host) ssl_options.setdefault('server_hostname', requested_hostname)

from https://github.com/gwik/geventhttpclient/blob/master/src/geventhttpclient/client.py#L97

The ssl_options was added because of let's encrypt certificates, I'm not sure if this is broken again.

Hope this helps, I'm not sure what the right fix is (started with locust today)......

picture tljdebrouwer on 1 May 2020
👍2

All 7 comments

Does it work if you set ApiUser.insecure = False ?

cyberw picture cyberw on 30 Apr 2020

No it does not, same error with this code (and verified with packet capture)

from locust import task, between
from locust.contrib.fasthttp import FastHttpUser

class ApiUser(FastHttpUser):
    wait_time = between(1.0, 8.0)
    insecure = False

    @task(1)
    def index(self):
        self.client.get("/")
gileri picture gileri on 30 Apr 2020

geventhttpclient is supposed to have SNI support (https://github.com/gwik/geventhttpclient/pull/109) but I can confirm that I can reproduce this bug.

Would definitely be interested in a fix.

heyman picture heyman on 30 Apr 2020

Even though SNI support is supposed to work in geventhttpclient, it appears to be broken. This code causes the same exception:

from geventhttpclient.useragent import UserAgent

ua =  UserAgent()
response = ua.urlopen('https://locust.io')

print("response:", response)
heyman picture heyman on 30 Apr 2020
👍1

Found the same issue today, resolved this locally by changing the ssl_options to ssl_context_factory (the combination doesn't seem to be allowed) in 'locust/contrib/fasthttp.py'

```
self.client = LocustUserAgent(
cookiejar=self.cookiejar,
ssl_context_factory=gevent.ssl.create_default_context,
**kwargs
)
````

Only this way, it seem to trigger to set the server_hostname, see
if ssl_context_factory is not None: requested_hostname = headers.get('host', self.host) ssl_options.setdefault('server_hostname', requested_hostname)

from https://github.com/gwik/geventhttpclient/blob/master/src/geventhttpclient/client.py#L97

The ssl_options was added because of let's encrypt certificates, I'm not sure if this is broken again.

Hope this helps, I'm not sure what the right fix is (started with locust today)......

tljdebrouwer picture tljdebrouwer on 1 May 2020
👍2

@tljdebrouwer Thanks for debugging! I've pushed a fix (0f6f2170331a10f6e0427e947bf91aab6a797b91) which I believe solves it.

heyman picture heyman on 4 May 2020
👍1

Thanks. Fix looking good!

Op 4 mei 2020 om 22:02 heeft Jonatan Heyman notifications@github.com het volgende geschreven:

@tljdebrouwer Thanks for debugging! I've pushed a fix which I believe solves it.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.

tljdebrouwer picture tljdebrouwer on 4 May 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

foxracle picture foxracle  Â·  3Comments
bretrouse picture bretrouse  Â·  4Comments
rlewkowicz picture rlewkowicz  Â·  3Comments
wosc picture wosc  Â·  3Comments
ludo550 picture ludo550  Â·  3Comments