docs

Getting started

Welcome
Installation
Running k6
Results output
k6 resources

Using k6

HTTP Requests
Metrics
Checks
Thresholds
Options
Test life cycle
Modules
Tags and Groups
Cookies
Protocols
Environment variables
Execution context variables
Scenarios

Test authoring

Test builder
Recording a session

Results visualization

End-of-test summary
Amazon CloudWatch
Cloud
CSV
Datadog
Grafana Cloud
InfluxDB + Grafana
JSON
Netdata
New Relic
Prometheus
TimescaleDB
StatsD

Test Types

Introduction
Smoke testing
Load testing
Stress testing
Soak testing

Testing Guides

API load testing
Automated performance testing
Load testing websites
Running large tests

Misc

Usage collection
IntelliSense
Fine tuning OS
Archive Command
Release notes
Glossary
k6.ioapp.k6.io

No results for

Powered byAlgolia

SSL/TLS version and ciphers

suggest edits

To support testing specific client configurations, k6 allows you to specify a version or range of versions of SSL/TLS that are allowed for a connection. You can as also specify which cipher suites are allowed for that connection.

⚠️ Reg. ciphers and TLS 1.3

Due to limitations in the underlying go implementation, changing the ciphers for TLS 1.3 is not supported and will do nothing.

Limiting SSL/TLS version

To limit the k6 to a specific SSL/TLS version, use a global configuration option:

Limiting to a specific SSL/TLS version
1import http from 'k6/http';
2

3export const options = {
4  tlsVersion: http.TLS_1_2,
5};
6

7export default function () {
8  http.get('https://badssl.com');
9}
You can also accept a range of SSL/TLS versions:
Limiting to a range of SSL/TLS versions
1import http from 'k6/http';
2

3export const options = {
4  tlsVersion: {
5    min: http.SSL_3_0,
6    max: http.TLS_1_2,
7  },
8};
9

10export default function () {
11  http.get('https://badssl.com');
12}

Versions available to choose from

Here's the list of available SSL/TLS versions that you can choose from, ordered from oldest version to latest.

  • http.SSL_3_0
  • http.TLS_1_0
  • http.TLS_1_1
  • http.TLS_1_2

Limiting cipher suites

To limit the cipher suites that k6 is allowed to use, there's a global configuration option. You choose a list of allowed ciphers:

Limiting cipher suites
1import http from 'k6/http';
2

3export const options = {
4  tlsCipherSuites: ['TLS_RSA_WITH_RC4_128_SHA', 'TLS_RSA_WITH_AES_128_GCM_SHA256'],
5};
6

7export default function () {
8  http.get('https://badssl.com');
9}

Checking SSL/TLS version and cipher suite used in requests

You can also check which SSL/TLS version and ciphers were used. To do so, look at the tls_version and tls_cipher_suite response object properties.

Check SSL/TLS version and cipher suite
1import http from 'k6/http';
2import { check } from 'k6';
3

4export default function () {
5  const res = http.get('https://sha256.badssl.com');
6  check(res, {
7    'is TLSv1.2': (r) => r.tls_version === http.TLS_1_2,
8    'is sha256 cipher suite': (r) => r.tls_cipher_suite === 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
9  });
10}

Cipher suites available to choose from

Here's a list of available SSL/TLS cipher suites:

  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

⚠️ Differences depending on k6 build

This list reflects the available cipher suites in the latest official build. If you are using a custom-built k6, the available cipher suites will depend on the Go version you compiled it with, see https://golang.org/pkg/crypto/tls/#pkg-constants.

previousSSL/TLS client certificates