So I have JMeter setup to test my SSL-enabled site (I've got a real certificate from Geotrust, not a self-signed cert) and I've been running into problems when I try testing an SSL connection directly from Tomcat. I get:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:150)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:575)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
at org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.sample(HTTPHC4Impl.java:277)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:62)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1060)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1049)
at org.apache.jmeter.threads.JMeterThread.process_sampler(JMeterThread.java:442)
at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:271)
at java.lang.Thread.run(Thread.java:680)
whenever I try to connect. This is using JMeter 2.7 with the HttpClient4 implementation. It is a simple GET request to one of my services hosted on Tomcat 7 (7.0.27 for anyone interested).
Here is my Tomcat config for my SSL connector. Note that I have APR/native installed and this is running on an Ubuntu 12.04 server up on EC2.
<Connector port="8443" maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
URIEncoding="UTF-8"
acceptorThreadCount="5"
maxThreads="400"
scheme="https"
secure="true"
SSLEnabled="true"
SSLCipherSuite="ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH"
SSLHonorCipherOrder="true"
SSLVerifyClient="optional"
SSLCertificateFile="/etc/tomcat7/ssl/star.example.com.crt"
SSLCertificateKeyFile="/etc/tomcat7/ssl/star.example.com.key"
SSLCertificateChainFile="/etc/tomcat7/ssl/geotrust.crt" />
Again this is just a problem with JMeter. I can hit the site without issue using any browsers, and if I stick Apache in front of Tomcat and use either mod_proxy or mod_jk, I have no issues. Any help would be appreciated.
After your last comment, I managed to reproduce issue with certificate not matching your host AND with the one matching your host.
It seems you are facing a bug in Java 6. Indeed I reproduce issue with JDK6 but not in JDK7 with JMeter 2.7.
To record this I opened bug here:
And here and Oleg gave me the hint about JDK7 :
Analysing further your configuration it might be coming from your custom tomcat7 config:
Maybe you could try a change, but anyway it works with JDK7 so you have your solution.
Thanks very much for proposing this publicly available URL to test issue.
Thanks