FastHttpUser doesn't use the SNI TLS extension
See original GitHub issueDescribe the bug
Some web server/reverse proxy require the client to announce which hostname it wants to connect to. It’s done via the Server Name Indication TLS extension. This allow sharing the same public IP between multiple hostnames. locust.io for example uses Cloudflare, which requires SNI in this setup.
Unlike HttpUser
, FastHttpUser
doesn’t send the SNI extension, making all TLS connection to SNI-requiring servers fail.
Users are warned that FastHttpUser
doesn’t necessarily implement the same feature set as HttpUser
, but geventhttpclient
, used by FastHttpUser
does support SNI in the included version.
Expected behavior
The FastHttpUser client send the SNI extension as host
, and the TLS connection succeed.
Actual behavior
The following error is obtained and every TLS connection
SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1108)')
It can confirmed by capturing the TLS Client Hello network packet.
Steps to reproduce
locustfile.py
:
from locust import task, between
from locust.contrib.fasthttp import FastHttpUser
class ApiUser(FastHttpUser):
wait_time = between(1.0, 8.0)
@task(1)
def index(self):
self.client.get("/")
Execute
% locust -H 'https://locust.io' --headless
Environment
- OS: Archlinux up to date as of 2020-04-30
- Python version: 3.8.2
- Locust version: git master @5cad1cb5921ff84298d357e0a5ba42bdc0390acc
- Locust command line that you ran:
locust -H 'https://locust.io' --headless
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:7 (3 by maintainers)
Top GitHub Comments
Found the same issue today, resolved this locally by changing the ssl_options to ssl_context_factory (the combination doesn’t seem to be allowed) in ‘locust/contrib/fasthttp.py’
Only this way, it seem to trigger to set the server_hostname, see
from https://github.com/gwik/geventhttpclient/blob/master/src/geventhttpclient/client.py#L97
The ssl_options was added because of let’s encrypt certificates, I’m not sure if this is broken again.
Hope this helps, I’m not sure what the right fix is (started with locust today)…
@tljdebrouwer Thanks for debugging! I’ve pushed a fix (0f6f2170331a10f6e0427e947bf91aab6a797b91) which I believe solves it.