docs
Guides

Getting started

Using k6

Test authoring

Results visualization

Test Types

Testing Guides

Misc

k6.ioapp.k6.io

No results for

Powered byAlgolia
Using k6
Protocols
SSL-TLS
SSL-TLS version and ciphers

SSL/TLS version and ciphers

suggest edits

To support testing specific client configurations k6 allows you to set a specific version or range of versions of SSL/TLS that should be allowed for a connection, as well as which cipher suites are allowed to be used on that connection.

⚠️ Reg. ciphers and TLS 1.3

Due to limitations in the underlying go implementation changing of the ciphers for TLS 1.3 is not supported and will do nothing.

Limiting SSL/TLS version

Limiting the SSL/TLS versions that k6 will be allowed to use during a test is a global configuration option. You can choose to limit to a specific version:

Limiting to a specific SSL/TLS version
1import http from 'k6/http';
2

3export let options = {
4  tlsVersion: http.TLS_1_2,
5};
6

7export default function () {
8  http.get('https://badssl.com');
9}
or choose to accept a range of SSL/TLS versions:
Limiting to a range of SSL/TLS versions
1import http from 'k6/http';
2

3export let options = {
4  tlsVersion: {
5    min: http.SSL_3_0,
6    max: http.TLS_1_2,
7  },
8};
9

10export default function () {
11  http.get('https://badssl.com');
12}

Versions available to choose from

Below is the list of available SSL/TLS version that you can choose from. They are listed in order from lowest/oldest version to highest/newest version.

  • http.SSL_3_0
  • http.TLS_1_0
  • http.TLS_1_1
  • http.TLS_1_2

Limiting cipher suites

Limiting the cipher suites that k6 is allowed to use during a test is a global configuration option. You choose a list of allowed ciphers:

Limiting cipher suites
1import http from 'k6/http';
2

3export const options = {
4  tlsCipherSuites: [
5    'TLS_RSA_WITH_RC4_128_SHA',
6    'TLS_RSA_WITH_AES_128_GCM_SHA256',
7  ],
8};
9

10export default function () {
11  http.get('https://badssl.com');
12}

Checking SSL/TLS version and cipher suite used in request

You can also check which SSL/TLS version and ciphers were used to make a request by looking at the tls_version and tls_cipher_suite response object properties.

Check SSL/TLS version and cipher suite
1import http from 'k6/http';
2import { check } from 'k6';
3

4export default function () {
5  const res = http.get('https://sha256.badssl.com');
6  check(res, {
7    'is TLSv1.2': (r) => r.tls_version === http.TLS_1_2,
8    'is sha256 cipher suite': (r) =>
9      r.tls_cipher_suite === 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
10  });
11}

Cipher suites available to choose from

Below is a list of available SSL/TLS cipher suites to choose from.

  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

⚠️ Differences depending on k6 build

Note that there could be differences from the above list of available cipher suites depending on which k6 build your running.

The list above will reflect the available cipher suites in the latest official build. If you are using a custom-built k6 then the cipher suites available will be dependent on the Go version you compiled it with, see https://golang.org/pkg/crypto/tls/#pkg-constants.

previousSSL/TLS client certificates