FastHttpUser doesn't use the SNI TLS extension

[gileri]

Describe the bug

Some web server/reverse proxy require the client to announce which hostname it wants to connect to. It's done via the Server Name Indication TLS extension. This allow sharing the same public IP between multiple hostnames. locust.io for example uses Cloudflare, which requires SNI in this setup.

Unlike HttpUser, FastHttpUser doesn't send the SNI extension, making all TLS connection to SNI-requiring servers fail.

Users are warned that FastHttpUser doesn't necessarily implement the same feature set as HttpUser, but geventhttpclient, used by FastHttpUser does support SNI in the included version.

Expected behavior

The FastHttpUser client send the SNI extension as host, and the TLS connection succeed.

Actual behavior

The following error is obtained and every TLS connection
SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1108)')

It can confirmed by capturing the TLS Client Hello network packet.

Steps to reproduce

locustfile.py :

from locust import task, between
from locust.contrib.fasthttp import FastHttpUser

class ApiUser(FastHttpUser):
    wait_time = between(1.0, 8.0)

    @task(1)
    def index(self):
        self.client.get("/")

Execute
% locust -H 'https://locust.io' --headless

Environment

• OS: Archlinux up to date as of 2020-04-30
• Python version: 3.8.2
• Locust version: git master @5cad1cb5921ff84298d357e0a5ba42bdc0390acc
• Locust command line that you ran: locust -H 'https://locust.io' --headless

[cyberw]

Does it work if you set ApiUser.insecure = False ?

[gileri]

No it does not, same error with this code (and verified with packet capture)

from locust import task, between
from locust.contrib.fasthttp import FastHttpUser

class ApiUser(FastHttpUser):
    wait_time = between(1.0, 8.0)
    insecure = False

    @task(1)
    def index(self):
        self.client.get("/")

[heyman]

geventhttpclient is supposed to have SNI support (geventhttpclient/geventhttpclient#109) but I can confirm that I can reproduce this bug.

Would definitely be interested in a fix.

[heyman]

Even though SNI support is supposed to work in geventhttpclient, it appears to be broken. This code causes the same exception:

from geventhttpclient.useragent import UserAgent

ua =  UserAgent()
response = ua.urlopen('https://locust.io')

print("response:", response)

[tljdebrouwer]

Found the same issue today, resolved this locally by changing the ssl_options to ssl_context_factory (the combination doesn't seem to be allowed) in 'locust/contrib/fasthttp.py'

    self.client = LocustUserAgent(
         cookiejar=self.cookiejar,  
         ssl_context_factory=gevent.ssl.create_default_context,  
         **kwargs 
     )

Only this way, it seem to trigger to set the server_hostname, see

            if ssl_context_factory is not None:
                requested_hostname = headers.get('host', self.host)
                ssl_options.setdefault('server_hostname', requested_hostname)

from https://github.com/gwik/geventhttpclient/blob/master/src/geventhttpclient/client.py#L97

The ssl_options was added because of let's encrypt certificates, I'm not sure if this is broken again.

Hope this helps, I'm not sure what the right fix is (started with locust today)......

[heyman]

@tljdebrouwer Thanks for debugging! I've pushed a fix (0f6f217) which I believe solves it.

[tljdebrouwer]

Thanks. Fix looking good!

…

Op 4 mei 2020 om 22:02 heeft Jonatan Heyman ***@***.***> het volgende geschreven: @tljdebrouwer Thanks for debugging! I've pushed a fix which I believe solves it. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.