Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

FastHttpUser doesn't use the SNI TLS extension

See original GitHub issue

Describe the bug

Some web server/reverse proxy require the client to announce which hostname it wants to connect to. It’s done via the Server Name Indication TLS extension. This allow sharing the same public IP between multiple hostnames. locust.io for example uses Cloudflare, which requires SNI in this setup.

Unlike HttpUser, FastHttpUser doesn’t send the SNI extension, making all TLS connection to SNI-requiring servers fail.

Users are warned that FastHttpUser doesn’t necessarily implement the same feature set as HttpUser, but geventhttpclient, used by FastHttpUser does support SNI in the included version.

Expected behavior

The FastHttpUser client send the SNI extension as host, and the TLS connection succeed.

Actual behavior

The following error is obtained and every TLS connection SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1108)')

It can confirmed by capturing the TLS Client Hello network packet.

Steps to reproduce

locustfile.py :

from locust import task, between
from locust.contrib.fasthttp import FastHttpUser

class ApiUser(FastHttpUser):
    wait_time = between(1.0, 8.0)

    @task(1)
    def index(self):
        self.client.get("/")

Execute % locust -H 'https://locust.io' --headless

Environment

OS: Archlinux up to date as of 2020-04-30
Python version: 3.8.2
Locust version: git master @5cad1cb5921ff84298d357e0a5ba42bdc0390acc
Locust command line that you ran: locust -H 'https://locust.io' --headless

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:7 (3 by maintainers)

Top GitHub Comments

2reactions

tljdebrouwercommented, May 1, 2020

Found the same issue today, resolved this locally by changing the ssl_options to ssl_context_factory (the combination doesn’t seem to be allowed) in ‘locust/contrib/fasthttp.py’

    self.client = LocustUserAgent(
         cookiejar=self.cookiejar,  
         ssl_context_factory=gevent.ssl.create_default_context,  
         **kwargs 
     )

Only this way, it seem to trigger to set the server_hostname, see

            if ssl_context_factory is not None:
                requested_hostname = headers.get('host', self.host)
                ssl_options.setdefault('server_hostname', requested_hostname)

from https://github.com/gwik/geventhttpclient/blob/master/src/geventhttpclient/client.py#L97

The ssl_options was added because of let’s encrypt certificates, I’m not sure if this is broken again.

Hope this helps, I’m not sure what the right fix is (started with locust today)…

1reaction

heymancommented, May 4, 2020

@tljdebrouwer Thanks for debugging! I’ve pushed a fix (0f6f2170331a10f6e0427e947bf91aab6a797b91) which I believe solves it.

Top Results From Across the Web

What is SNI? How TLS server name indication works

SNI, or Server Name Indication, is an extension for the TLS protocol to indicate a hostname in the TLS handshake. Learn more about...

python - using requests with TLS doesn't give SNI support

On MAC High Sierra and Python 3.6.4, I tried the solution: requests toolbelt:HostHeaderSSLAdapter 1st, unfortunately, it doesn't work for me, ...

What is SNI (Server Name Indication)?

Server Name Indication (SNI) is an extension to the TLS protocol. It allows a client or browser to indicate which hostname it is...

Server Name Indication - Wikipedia

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname ......

Include SNI extension for custom domains using Salesforce ...

Modern web browsers consistently include SNI in their TLS ClientHello messages as a part of the TLS handshake with Salesforce Edge Network.