Error trying to use TLS1.3

Hello,

I’m using last gatling version,
3.3.1.

I installed last openssl for my OS :

OpenSSL 1.1.1g 21 Apr 2020

In gatling.conf i set

useOpenSsl = true

I have a backend setted to use only tls1.3, i can connect backend using my browser (chrome, firefox).

I can connect the backend using openssl s_client -connect mybackend:port

But everytime i launch injection from gatling i get this error :

`

j.n.s.SSLHandshakeException: error:1000042e:SSL routines:OPENS 2199 (100,0%)
SL_internal:TLSV1_ALERT_PROTOCOL_VERSION
`

Full error :

`

15:43:10.823 [WARN ] i.g.h.e.r.DefaultStatsProcessor - Request ‘GET_2KB_ATK’ failed for user 200: j.n.s.SSLHandshakeException: error:1000042e:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION
15:43:10.836 [WARN ] i.g.h.e.GatlingHttpListener - Request ‘GET_2KB’ failed for user 201
javax.net.ssl.SSLHandshakeException: error:1000042e:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:961)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1211)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1165)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1236)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1279)
at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:217)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1301)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1203)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1247)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:656)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:591)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:508)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:470)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:834)

`

Can you help me understand what’s the problem, and if possible how to solve it ?

Best regards, Xavier.

I think that’s a problem with Netty’s tcnative that got fixed recently.

The easiest workaround is to disable useOpenSsl and run with Java 11 (as Java 8 doesn’t have TLS1.3 unless you’re paying for the Oracle builds where it was backported).

I install latest java 11 jdk but still an error :

j.n.s.SSLHandshakeException: Received fatal alert: protocol_ve 2190 (100,0%) rsion code ici...

i use in gatling.conf :

`
useOpenSsl = false

`

i’m on Debian 9.

`

update-alternatives --config java
Il existe 3 choix pour l’alternative java (qui fournit /usr/bin/java).

Sélection Chemin Priorité État

From https://groups.google.com/g/gatling:

Provide a Short, Self Contained, Correct (Compilable), Example (see http://sscce.org/)

Re,

Gatling Scenario
in file attachment.

OS :
Debian 9 Stretch

openSSL version :

OpenSSL 1.1.1g 21 Apr 2020

Java versions :

`

update-alternatives --config java

Sélection Chemin Priorité État

scenar.scala (1.39 KB)

The target IP is not public and this test defines local addresses.
No one but you can run it. That’s the whole point of requesting a self Self Contained sample.

Anyway, I ran a test with master and it works fine: https://gist.github.com/slandelle/e1979b2c79d6dec17b5953124c0242e4
Maybe you’ll have to wait for the next release.

Ok, thank you for your help, i will try to be more sscce compliant next time.

It works, with this conf :

sslEnabledProtocols = ["TLSv1.3"]

Before (for sslv3, tls1.1 or tls1.2) gatling was capable to auto select the good protocol according to server protocol list.
For TLSv1.3 it seems we must specify the protocol version in gatling.conf.

Thank you, best regards, Xavier.

For some reason, Netty disables TLSv1.3 by default.
IMHO, this decision should be revisited.
I’ve opened a ticket.

I’ve also opened a ticket on the Gatling side.
Depending on Netty’s move, we might end up doing the work on our side so we can ensure to have TLSv1.3 enabled by default for Gatling 3.4.0.