Calling TLS authenticated endpoint from K6 test

vanithaconnectid · September 11, 2023, 8:04am

@@
Update: I realized that I need to setup my K6 repo as a trusted client for TLS to work.So I’m going to give that a try. But i wonder why skip tls option offered by K6 is not working.
K6_INSECURE_SKIP_TLS_VERIFY=false k6 run test.js
k6 run --insecure-skip-tls-verify eventstlsauth.js
these commands give this error
WARN[0000] Request Failed error=“Post "https://endpoint/token\”: remote error: tls: handshake failure"
@@

hey folks! I’m new to K6 and I have hit a wall in dealing with calling an endpoint that uses tls auth and I’m facing an error that says

WARN[0000] Request Failed                                error="Post \"https:endpointname\": tls: failed to verify certificate: x509: certificate signed by unknown authority"

Code that I use is below

import http from 'k6/http';

// tried this way of passing tls auth via options as suggested in k6 doc and it doesn't work
// So below is the second way of passing via request options
// export const options = {
//   tlsAuth: [
//     {
//     //   domains: ['mtls-api.dev.connectid.com.au'],
//       cert: open('./transport.pem'),
//       key: open('./transport.key'),
//     },
//   ],
// };

const cert = open('./transport2.pem');
const key = open('./transport2.key');
export function setup() {

    // Define the request headers with mTLS client certificate and key
    let headers = {
      'Content-Type': 'application/x-www-form-urlencoded',
    };
  
    //
    // Define the token endpoint URL
    let tokenEndpoint = 'https://<mytlsendpoint>/token';
  
    // Define the request body
    const requestBody = 'param1=value1&param2=valu2&param3=value3'
    
    const requestOptions = {
        headers: headers,
        tls: {
            client_cert: cert,
            client_key: key,
          },
        // tls_insecure_skip_verify: true, // Include this to skip TLS verification
      };
  
    // Perform a POST request to obtain the token
    let response = http.post(tokenEndpoint, requestBody, requestOptions);
    console.log(response.status);
  
    // Check the response and extract the token
    check(response, {
      'Token Obtained': (r) => r.status === 200,
    });
  
    return response.json('access_token'); // Assuming the token is in the JSON response
  }

  export default function () {
  }Preformatted text

Any help/pointers are appreciated.

olegbespalov · September 12, 2023, 7:41am

Hi @vanithaconnectid !

Welcome to the community forums!

Out of curiosity, have you checked that the credentials are valid? E.g. have you tried curl using them?

The other important thing that I’d like to highlight is that HTTP request params right now have no way to set tls (see Params), so you should configure TLS by using options’s tlsAuth.

So in the end your options could look like this:

export const options = {
   insecureSkipTLSVerify: true,
   tlsAuth: [
     {
       cert: open('./transport.pem'),
       key: open('./transport.key'),
     },
   ],
};

We know that configuring the TLS per call is requested from us and are going to address this. in new HTTP module (https://github.com/grafana/k6/blob/master/docs/design/018-new-http-api.md)

Cheers!