From akismpa at gmail.com Tue Apr 24 09:22:38 2018 From: akismpa at gmail.com (Panagiotis Bariamis) Date: Tue, 24 Apr 2018 12:22:38 +0300 Subject: Credentials Generation Message-ID: Hello , I am trying to create a workload for an authenticated proxy . LDAP administrator has already created usernames and passwords in the pattern : testproxyuser0001 testproxyuser0002 . . testproxyuser1000 and password ie test I use function string[] mycreds = "testproxyuser[1-1000]:test"; Is there any operator that can produce testproxyuser0001 instead of testproxyuser1 , testproxyuser0100 etc ? Thank you , Bariamis Panagiotis -------------- next part -------------- An HTML attachment was scrubbed... URL: From rousskov at measurement-factory.com Tue Apr 24 14:25:09 2018 From: rousskov at measurement-factory.com (Alex Rousskov) Date: Tue, 24 Apr 2018 08:25:09 -0600 Subject: Credentials Generation In-Reply-To: References: Message-ID: On 04/24/2018 03:22 AM, Panagiotis Bariamis wrote: > I am trying to create a workload for an authenticated proxy . > LDAP administrator has already created usernames and passwords in the > pattern : > testproxyuser0001 > testproxyuser0002 > . > . > testproxyuser1000 > > and password ie test > I use function > string[] mycreds = "testproxyuser[1-1000]:test"; > Is there any operator that can produce testproxyuser0001 instead of > testproxyuser1 , testproxyuser0100 etc ? Polygraph does not support custom formatting natively, but you can generate credential strings using a scripting language of your choice and then add those generated credentials in your PGL workload, either as a PGL #include file or as an output of PGL system() or `backticked` command: http://www.web-polygraph.org/docs/reference/pgl/calls.html#call:docs/reference/pgl/calls/system HTH, Alex. From akismpa at gmail.com Sun Apr 29 19:09:07 2018 From: akismpa at gmail.com (Panagiotis Bariamis) Date: Sun, 29 Apr 2018 22:09:07 +0300 Subject: SSLBUMP (Squid) stress test Message-ID: Hello, I am trying to measure performance for a proxy while using sslbump . I have used the following sslwrap : SslWrap sslWrap = { ssl_config_file = "openssl.conf"; root_certificate = "keyall.pem"; session_resumption = 70%; session_cache = 100; }; While openssl.conf is the conf suggested by web polygraph site. The root certificate keyall.pem is the private+public CA used for sslbump. I have tried many combinations but i always get the error : :SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca How can I make web polygraph trust my CA for sslbump ? Thank you, Bariamis Panagiotis -------------- next part -------------- An HTML attachment was scrubbed... URL: From rousskov at measurement-factory.com Mon Apr 30 22:41:30 2018 From: rousskov at measurement-factory.com (Alex Rousskov) Date: Mon, 30 Apr 2018 16:41:30 -0600 Subject: SSLBUMP (Squid) stress test In-Reply-To: References: Message-ID: <8b4c2269-1f08-ce17-23fb-afac42b91504@measurement-factory.com> On 04/29/2018 01:09 PM, Panagiotis Bariamis wrote: > I am trying to measure performance for a proxy while using sslbump . > I have used the following sslwrap : > SslWrap sslWrap = { > ??? ssl_config_file = "openssl.conf"; > ??? root_certificate = "keyall.pem"; > ??? session_resumption = 70%; > ??? session_cache = 100; > }; > While openssl.conf is the conf suggested by web polygraph site. > The root certificate keyall.pem is the private+public CA used for sslbump. If you use the above sslWrap for Polygraph robots and Polygraph servers, then please note that you are testing an unrealistic setup: * An origin server signs traffic with certificate signed by Root CA X. * Squid signs bumped traffic with certificate signed by Root CA Y. * X is Y. Normally, X is not Y! This modeling problem does not explain the errors you are getting AFAICT, but it is best to test a more realistic setup where the root CA in robots sslWrap (Y) is different from the root CA in servers sslWrap (X). If nothing else, you would be able to detect cases where Squid did not bump SSL traffic it should have bumped during the test. > I have tried many combinations but i always get the error : > :SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > How can I make web polygraph trust my CA for sslbump ? Nothing jumps at me as broken in your small configuration snippet and description. 1. Are your robots configured to go to Squid's http_port or https_port? If you are not testing an HTTPS proxy, they should be configured to talk to an http_port. If you are testing an interception proxy, then robots should be configured to talk to origin servers directly. 2. Can you double check that the unknown CA in the error message is actually the CA in keyall.pem? You can do that using wireshark or a similar tool that inspects traffic. To reduce noise, configure a single best-effort robot and tell it to stop after the first error. 3. Does "curl --ca-cert keyall.pem" (or equivalent) work when requesting one of the Polygraph URLs through the same proxy port (while a Polygraph server is still running)? Alex.