javax.net.ssl.SSLHandshakeException: handshake_failure when using JMeter with SSL (JDK8)

Question

I am writing a JMeter test plan to connect to SSL port (Tomcat Connector). I receive a SSLHandshakeException (handshake_failure) when connecting to SSL port using any of the

Answer 1

I was facing the same issue and resolved it based on the inputs given in the above post. My two cents in resolving the issue:

1. Try to hit the URL from chrome and click on lock button and view certificate.
2. Look for the https protocol supported (e.g. TLS v1.2)).
3. Verify from if your java version supports. If not, update java.

4. In jmeter properites file, update the property to

   https.default.protocol=TLSv1.2

5. Restart jmeter.

The above procedure worked for me.

Answer 2

There is a solution that allows JMeter to connect to insecure endpoints (or those that use old or not secured enough protocols):

• Find your JRE;
• Open jre\lib\security\ folder;
• Make a backup copy of java.security file;
• Edit java.security file and comment out all lines that disable insecure algorithms - search for 'disabledAlgorithms' string (don't forget to comment out both lines in multiline settings), they look like:

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ DSA keySize < 1024, EC keySize < 224

• save the file and restart JMeter.

Java connections are now allowed to use old protocols, so JMeter can properly work.

REMEMBER it's security!

These settings are global, and will affect all programs that use the same JRE. If you found this fix works and useful for your system, DO create a copy of your JRE, and set a path to it in jmeter.bat. Return your global settings from backed up copy of java.security file.

Answer 3

I was having similiar issue with Jmeter 3.2 and JRE 8 and add below properties in Jmeter JNDI Properties, its working fine for me:

java.naming.security.principal  
java.naming.security.credentials    
com.tibco.tibjms.naming.security_protocol   
com.tibco.tibjms.naming.ssl_enable_verify_host  
com.tibco.tibjms.naming.ssl_trusted_certs   
com.tibco.tibjms.naming.ssl_password    
com.tibco.tibjms.naming.ssl_auth_only   
com.tibco.tibjms.naming.ssl_trace   
com.tibco.tibjms.naming.ssl_debug_trace 
com.tibco.tibjms.naming.ssl_identity

Answer 4

So after some digging, and ideas in the comments, it boils down to the Tomcat configuration. Tomcat Configuration only allowed RC4-SHA, which is insecure and not supported in Java 8 anymore, per RFC7465 (thanks Robert for the reference).

I got JMeter to work on Java8, by updating server SSL configuration and removing RC4-SHA-only cipher, and allowing all default cipher suites, e.g. dropping SSLCipherSuite="RC4-SHA" from server.xml Tomcat configuration file.

Adding stronger security encryption (JCE Unlimited Strength Policy), will allow for better cipher suites and stronger encryption. You will need to be aware of US exporting rules though.

I will need to make decision as to which ciphers we want to support. That depends on the clients that we are expecting to connect to our SSL Tomcat connector. One client is definitely our JMeter test client, and there are few other RESTful clients that will be connecting, written in various languages and for various platforms.

Hopefully this discussion helps out others and shed some light.

I would like to edit this answer to add recommended (at the moment) TLS protocol and CipherSuite settings.

I found some great discussion on Mozilla ServerSide SSL Configuration:

Modern Compatibility

Ciphersuite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Versions: TLSv1.1, TLSv1.2
RSA key size: 2048
DH Parameter size: 2048
Elliptic curves: secp256r1, secp384r1, secp521r1 (at a minimum)
Certificate signature: SHA-256
HSTS: max-age=15724800

Intermediate Compatibility

Ciphersuite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Versions: TLSv1, TLSv1.1, TLSv1.2
RSA key size: 2048
DH Parameter size: 2048 (see DHE and Java for details)
Elliptic curves: secp256r1, secp384r1, secp521r1 (at a minimum)
Certificate signature: SHA-256

... and others

Thanks everyone that chimed in.

Answer 5

I was getting same exception in JDK7_u80. javax.net.ssl.SSLHandshakeException: handshake_failure. Even after I replace jars in security folders with JCE jar.

I installed new version JDK8_u92 and set the environment path to newly installed Java8. And jmeter issue is resolved now.

Answer 6

Here's how I solved this problem on a mac, as gleaned from here on StackOverflow:

1. Download updated security jars from Oracle - these ones are for Java 8: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

2. Unzip the downloaded zip file.

3. Go to the security folder in your java home directory:

   cd $(/usr/libexec/java_home)/jre/lib/security
   

4. Back up the following jars from this folder:

   • US_export_policy.jar

   • local_policy.jar

5. Replace with jars from zip file.

6. Restart Jmeter.