Disable JMeter SSL certificate parsing & validation

Question

I'm trying to query an HTTPS REST API on a server that has a self-signed certificate.

I set up a HTTP Request and pointed it at my API. But when I run it, I get an error:

javax.net.ssl.SSLHandshakeException: Failed to parse server certificates
    at sun.security.ssl.Alert.createSSLException(Unknown Source)
    at sun.security.ssl.TransportContext.fatal(Unknown Source)
    at sun.security.ssl.TransportContext.fatal(Unknown Source)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
    at sun.security.ssl.SSLHandshake.consume(Unknown Source)
    at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
    at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
    at sun.security.ssl.TransportContext.dispatch(Unknown Source)
    at sun.security.ssl.SSLTransport.decode(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
    at org.apache.jmeter.protocol.http.sampler.hc.LazyLayeredConnectionSocketFactory.connectSocket(LazyLayeredConnectionSocketFactory.java:91)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl$JMeterDefaultHttpClientConnectionOperator.connect(HTTPHC4Impl.java:404)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.executeRequest(HTTPHC4Impl.java:935)
    at org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.sample(HTTPHC4Impl.java:646)
    at org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:66)
    at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1296)
    at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1285)
    at org.apache.jmeter.threads.JMeterThread.doSampling(JMeterThread.java:638)
    at org.apache.jmeter.threads.JMeterThread.executeSamplePackage(JMeterThread.java:558)
    at org.apache.jmeter.threads.JMeterThread.processSampler(JMeterThread.java:489)
    at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:256)
    at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates
    at sun.security.x509.X509CertInfo.parse(Unknown Source)
    at sun.security.x509.X509CertInfo.<init>(Unknown Source)
    at sun.security.x509.X509CertImpl.parse(Unknown Source)
    at sun.security.x509.X509CertImpl.<init>(Unknown Source)
    at sun.security.provider.X509Factory.engineGenerateCertificate(Unknown Source)
    at java.security.cert.CertificateFactory.generateCertificate(Unknown Source)
    ... 34 more

How do I disable the SSL certificate parsing and validation?

This question and this question both say that JMeter doesn't validate SSL certificates. If that were true, then the fact that apparently my server's X509 certificate is invalid wouldn't be a problem. Those questions are very old, so possibly it is no longer the case that it doesn't validate by default any longer

I tried adding this property to my jmeter.properties file but it made no difference: server.rmi.ssl.disable=true. This was suggested in one of the above similar questions, (though I'm not sure why disabling SSL in RMI would have anything to do with HTTP.)

How do I get JMeter to ignore the invalid self-signed certificate entirely for my https API request?

Latest JMeter (5.4.1) and Java 8u311.

Answer 1

As per the specification:

The issuer field identifies the entity who has signed and issued the certificate. The issuer field MUST contain a non-empty distinguished name (DN)

and in RFC terms MUST is really MUST

MUST This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification.

Actual JMeter documentation states:

The JMeter HTTP samplers are configured to accept all certificates, whether trusted or not, regardless of validity periods, etc. This is to allow the maximum flexibility in testing servers.

So I would recommend reaching out to developers or system administrators and ask them to fix the certificate

If for some reason it's not possible you can try using HTTP protocol instead of HTTPS in your HTTP Request sampler (or even better HTTP Request Defaults)

If your application doesn't expose HTTP endpoint the only thing you could do is to patch your Java runtime and recompile it.

Answer 2

Try disable antivirus.. sometimes it´s the solution.