The Dreaded SSLException Error and What You Can Do About It When Load Testing

It happens to the best of us. There you are running a load test, and everything seems to be going great. Then suddenly, in the middle of the test run, you start getting nasty SSL Exceptions. Not only that, but they are also usually accompanied by other horrible messages, such as Broken Pipe, Handshake Failure, Connection Reset, and other such profanities. Sometimes all you can do is say to yourself: Why is this happening to me?

Well, don’t worry! This doesn’t only happen to you. SSL Exceptions are common problems faced by programmers and testers all the time. An SSL Exception occurs when the client and server establish communication via the secure SSL protocol, but there is a problem with this connection.

If the client is performing an HTTPS request to the server, and an error occurs, then an SSL Exception will appear in the body of the response. You might discover them in the middle of your load tests. In this blog, I’ll go over some of the more common errors that cause them and how to resolve them (and your load tests!). Sometimes, your load testing tool could be the way to resolve these errors.

Let’s get started.

Error #1: Failed to Establish Connection

One of the most common SSL Exceptions is the “Failed to Establish Connection” error. This is caused by SSL certificates that are either missing or expired.

SSL certificates are the enablers of SSL security. They are pieces of code containing a string of letters and digits that are used to encrypt communication and identity verification. When you send data over the internet and include the right certificate code, the SSL subsystem on the server identifies you as a rightful user of the service being provided.

An SSL certificate is usually valid for 13 months. If the certificate is not reissued, you cannot establish a connection to the server.

How to Resolve a “Failed to Establish Connection” Error

The “Failed to Establish Connection” error is usually mitigated by adding a valid client certificate or updating an existing one that expired.

Keep in mind that the certificate file must be in PEM format. Certificates come in different formats. If they are in a format different than PEM, make sure to use an SSL converter.

Error #2: Handshake Exception

The Handshake process is the first stage in setting up a secure connection between the client and server. In this process, the server checks the certificate key sent by the client to make sure it matches the one in the server. But there is more to it than that. The client and server need to be using the same version of the protocol, otherwise, it’s not going to work. 

How to Resolve a “Handshake Exception” Error

If the root cause of the “Handshake Exception” is due to conflicting protocols, you need to set the client protocol version to match that of the server. There are many ways to determine what protocol version the server application is using. If you are doing JMeter testing for instance, then set the debug log level to “All” in the options menu. Then, in the console window, you will see something like this:

The default protocol in JMeter is TLSv1.2, so there is no problem in this example. However, if the protocol version is different, then update the user.properties file with the correct version, as in:

https.default.protocol=TLSv1.2

Another possible point of failure with the Handshake is lack of resources. To establish an SSL connection, CPU and RAM are taxed. If the server is slow, and there is a delay, it could affect the success of the handshake and cause a failure.

One way to make sure that the server has enough resources such as CPU, RAM, Disk space, and others, is to run your test with the JMeter PerfMon plugin. With this plugin you can monitor the performance of the server to see if there are resource constraints.

If there is still a handshake problem after monitoring resources, you can enable JMeter debugging to get more information. In the system.properties file, found in the ‘bin’ folder of the JMeter installation, set the value of javax.net.debug to ‘ssl’, as in: 

javax.net.debug=ssl

Restart JMeter and then review the SSL related information in the console for clues on what is causing the problem.

Error #3: Broken Pipe

If you get a Broken Pipe error, don’t call a plumber. This is just another situation where things go wrong with SSL connections. The Pipe is a data stream that is used for reading data from the server’s network socket. If the server is not feeding data to the ‘pipe’ then the client will not be able to receive the data.

Usually, you’ll see this error in association with a Socket Exception, because the Socket is what provides the stream of data. If the socket shuts down, you will get this error. This error works both ways: Either the client or the server could close the socket or disconnect.

How to Resolve a “Broken Pipe” Error

So, what are the common causes of a Broken Pipe? There are many possibilities. If the backend server has a database, and the connection to the DB timed-out, this will cause an exception. Memory leaks, API problems, bad data causing a crash, and others could cause this problem. There is no easy answer, and most likely you’ll need to dig into the logs to find out what caused the problem.

Error #4: Connection Reset

Sometimes you might see an error, under SSL Exception, called a Connection Reset Error. This error is caused when either the server or the client experience an issue requiring the connection to be shut down and reinitiated. This usually happens because of some network issue.

A Connection Reset error will subsequently raise a broken pipe error since the two are closely related. Besides network problems, this error could be caused by an OOM (Out of Memory) issue, a bug in the code, an expired resource, etc.

How to Resolve a “Connection Reset” Error

In most cases, network monitoring and DevOps may need to be involved to resolve this error.

• In some cases, there is a problem due to Whitelisting of IP addresses. 
• If your server is using reverse proxying, then there may be a version problem with that software. 
• When you still have no idea what’s causing the Connection Reset error, it’s a good idea to increase the verbosity of the logger as mentioned above (javax.net.debug=ssl).
• Decrease the number of Virtual Users in the test to eliminate the problem of an overload on the system.
• Finally, check out this best practice, to be set up in JMeter: 

Switch "Implementation" of all your HTTP Request Samplers to "HttpClient4". The best way to do this is using the element HTTP Request Defaults, so you will have to change the value in just one place.

1. Add the next 2 lines to user.properties file (lives under /bin folder of your JMeter installation)
   httpclient4.retrycount=1

hc.parameters.file=hc.parameters

2. Add the next line to hc.parameters file (same location, /lib folder)
   http.connection.stalecheck$Boolean=true 
3. Remember to restart JMeter after making these changes, properties change is not dynamic, they're being picked up upon JMeter startup.

Bottom Line

In this blog article, we covered the reasons behind some of the most common SSL Exception errors. This by no means is a comprehensive list, and in some cases the issue at hand may be more complex. Online resources such as forums and user groups are a good source of information for those hard to solve problems. However, hopefully this compendium of typical problems and solutions will be helpful for you and most of the issues you encounter!

Start Testing Now