javax.net.ssl.SSLHandshakeException:handshake_failure 将 JMeter 与 SSL (JDK8) 结合使用时

javax.net.ssl.SSLHandshakeException: handshake_failure when using JMeter with SSL (JDK8)

我正在编写 JMeter 测试计划以连接到 SSL 端口(Tomcat 连接器)。在 JDK8 (1.8.0_51) 上使用三个 JMeter SSL 客户端实现(HttpClient4、HttpClient3.1、Java)中的任何一个连接到 SSL 端口时,我收到 SSLHandshakeException (handshake_failure)。如果我使用 JDK7 (1.7.0_75) - 一切都按预期工作。

Client JDK: HotSpot 1.8.0_51
Client OS: Mac OSX 10.10.2
JMeter version: 2.13

Server: Tomcat 7.0.63 (latest)
Server SSL CipherSuite: RC4-SHA
Server SSL Protocol: all
Server Java: OpenJDK 1.7.0_79

以下是我已经尝试过的一些方法:

(1) 我尝试更换 JCE Unlimited Strength JAR,如在类似问题上所建议的那样:

错误消息或日志文件没有变化,JDK8 客户端无法连接到 SSL 服务器。

(2) 我按照此处所述打开调试:https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https。将 JVM_ARGS 设置为 -Djavax.net.debug=ssl:handshake:verbose 启动 JMeter。日志文件(附在下面)没有暗示问题可能是什么原因。

(3) 我尝试指定 HTTPS 协议,例如-Dhttps.protocols=SSLv3。没有运气。 SSLv3 被禁用或密码不匹配: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

(4) 我尝试禁用 SNI,例如-Djsse.enableSNIExtension=false。也不走运。

所以,我现在被迫使用 JDK7,直到我可以使用 JDK8[=56= 让我的 JMeter 达到 运行 ],我想解决这个问题。

因此,问题在于 JDK8 处理 SSL 客户端的方式与 JDK7 不同。此外,服务器(Tomcat 连接器)需要支持适当的密码和协议,但目前我无法控制。

相关日志如下:

X509KeyManager passed to SSLContext.init():  need an X509ExtendedKeyManager for SSLEngine use
trigger seeding of SecureRandom
done seeding SecureRandom
Agents (clients) 1-2, setSoTimeout(0) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  *** ClientHello, TLSv1.2
GMT: 1422637724 bytes = { RandomCookie:  GMT: 1422637724 bytes = { 71, 27, 101, 246, 26, 99, 64, 213, 53, 66, 156, 66, 118, 137, 247113, , 226, 86, 121, 189, 207, 175, 98, 46, 64, 242, 48, 19, 30, 66, 251, 120, 125, 249, 63, 114, 254, 246, 5, 168, 17, 190, 214, 228, 90, 165128 }
Session ID:  , 113, {}
157, 211, 230, 144, Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
145, 63, Compression Methods:  { 238, 0178 }
Session ID:  {}
 }
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
Agents (clients) 1-2, WRITE: TLSv1.2 Handshake, length = 237
Agents (clients) 1-1, WRITE: TLSv1.2 Handshake, length = 237
Agents (clients) 1-2, READ: TLSv1.2 Alert, length = 2
Agents (clients) 1-2, RECV TLSv1.2 ALERT:  fatal, handshake_failure
Agents (clients) 1-2, called closeSocket()
Agents (clients) 1-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Agents (clients) 1-2, called close()
Agents (clients) 1-2, called closeInternal(true)
Agents (clients) 1-1, READ: TLSv1.2 Alert, length = 2
Agents (clients) 1-1, RECV TLSv1.2 ALERT:  fatal, handshake_failure
Agents (clients) 1-1, called closeSocket()
Agents (clients) 1-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Agents (clients) 1-1, called close()
Agents (clients) 1-1, called closeInternal(true)

这是我在 JMeter 日志文件中获得的堆栈跟踪:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at org.apache.jmeter.protocol.http.sampler.HTTPJavaImpl.sample(HTTPJavaImpl.java:483)
    at org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:74)
    at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1146)
    at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1135)
    at org.apache.jmeter.threads.JMeterThread.process_sampler(JMeterThread.java:434)
    at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:261)
    at java.lang.Thread.run(Thread.java:745)

那么,如何让 JMeter 中的 JDK8 客户端使用服务器允许的协议和密码与 SSL 端口通信。

谢谢!

编辑:添加了 SSL 实验室测试结果

Protocols
    TLS 1.2    Yes
    TLS 1.1    Yes
    TLS 1.0    Yes
    SSL 3      No
    SSL 2      No

Cipher Suites (sorted by strength as the server has no preference; deprecated and SSL 2 suites at the end)
    TLS_RSA_WITH_RC4_128_SHA (0x5)      WEAK        128

Clients
    Java 6u45    No SNI 2    TLS 1.0    TLS_RSA_WITH_RC4_128_SHA (0x5) No FS    RC4    128
    Java 7u25                TLS 1.0    TLS_RSA_WITH_RC4_128_SHA (0x5) No FS    RC4    128
    Java 8u31                TLS 1.2    TLS_RSA_WITH_RC4_128_SHA (0x5) No FS    RC4    128

所以经过一些挖掘和评论中的想法,归结为 Tomcat 配置。 Tomcat 仅允许配置 RC4-SHA,这是不安全的并且在 Java 8 中不再受支持,参考 RFC7465 (thanks Robert

我让 JMeter 在 Java8 上工作,方法是更新服务器 SSL 配置并删除 RC4-SHA-only 密码,并允许所有默认密码套件,例如从 server.xml Tomcat 配置文件中删除 SSLCipherSuite="RC4-SHA"

添加更强大的安全加密 (JCE Unlimited Strength Policy),将允许更好的密码套件和更强大的加密。不过,您需要了解美国的出口规则。

我需要决定我们要支持哪些密码。这取决于我们期望连接到我们的 SSL Tomcat 连接器的客户端。一个客户端肯定是我们的 JMeter 测试客户端,并且几乎没有其他 RESTful 客户端将连接,以各种语言和各种平台编写。

希望这个讨论能帮助其他人并阐明一些问题。

我想编辑此答案以添加推荐的(目前)TLS 协议和 CipherSuite 设置。

我在 Mozilla ServerSide SSL Configuration 上发现了一些很棒的讨论:

现代兼容性

Ciphersuite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Versions: TLSv1.1, TLSv1.2
RSA key size: 2048
DH Parameter size: 2048
Elliptic curves: secp256r1, secp384r1, secp521r1 (at a minimum)
Certificate signature: SHA-256
HSTS: max-age=15724800

中等兼容性

Ciphersuite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Versions: TLSv1, TLSv1.1, TLSv1.2
RSA key size: 2048
DH Parameter size: 2048 (see DHE and Java for details)
Elliptic curves: secp256r1, secp384r1, secp521r1 (at a minimum)
Certificate signature: SHA-256

...和其他人

感谢所有参与的人。

这是我在 mac 上解决这个问题的方法,从 中收集:

  1. 从 Oracle 下载更新的安全 jar - 这些用于 Java 8: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

  2. 解压缩下载的 zip 文件。

  3. 转到您的 java 主目录中的安全文件夹:

    cd $(/usr/libexec/java_home)/jre/lib/security
    
  4. 从此文件夹备份以下 jar:

    • US_export_policy.jar

    • local_policy.jar

  5. 替换为 zip 文件中的 jar。

  6. 重启 Jmeter。

我在 JDK7_u80 中遇到了同样的异常。 javax.net.ssl.SSLHandshakeException:handshake_failure。即使在我用 JCE jar 替换安全文件夹中的 jar 之后。

我安装了新版本JDK8_u92并将环境路径设置为新安装的Java8。 jmeter 问题现在已解决。

我遇到了同样的问题,并根据上述 post 中给出的输入解决了它。我在解决问题上的两分钱:

  1. 尝试从 chrome 中点击 URL,然后单击锁定按钮并查看证书。
  2. 寻找支持的 https 协议(例如 TLS v1.2))。
  3. 验证您的 java 版本是否支持。如果没有,请更新 java.
  4. 在 jmeter properites 文件中,将 属性 更新为

    https.default.protocol=TLSv1.2

  5. 重启jmeter。

以上步骤对我有用。

有一种解决方案允许 JMeter 连接到不安全的端点(或那些使用旧的或不够安全的协议的端点):

  • 找到你的 JRE;
  • 打开 jre\lib\security\ 文件夹;
  • 备份 java.security 个文件;
  • 编辑 java.security 文件并注释掉禁用不安全算法的所有行 - 搜索 'disabledAlgorithms' 字符串(不要忘记在多行设置中注释掉这两行),它们看起来像:

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ DSA keySize < 1024, EC keySize < 224

  • 保存文件并重启 JMeter。

Java 现在允许连接使用旧协议,因此 JMeter 可以正常工作。

记住这是安全的!

这些设置是全局的,将影响所有 使用相同 JRE 的程序。如果您发现此修复对您的系统有效且有用,DO 创建您的 JRE 的副本,并在 jmeter.bat 中设置它的路径。 Return 来自 java.security 文件备份副本的全局设置。

我在使用 Jmeter 3.2 和 JRE 8 时遇到了类似的问题,并在 Jmeter JNDI 属性中添加了以下属性,它对我来说工作正常:

java.naming.security.principal  
java.naming.security.credentials    
com.tibco.tibjms.naming.security_protocol   
com.tibco.tibjms.naming.ssl_enable_verify_host  
com.tibco.tibjms.naming.ssl_trusted_certs   
com.tibco.tibjms.naming.ssl_password    
com.tibco.tibjms.naming.ssl_auth_only   
com.tibco.tibjms.naming.ssl_trace   
com.tibco.tibjms.naming.ssl_debug_trace 
com.tibco.tibjms.naming.ssl_identity