HTTP(SM) Plugin Configuration Guide
1. Overview
HTTP(SM) is an HTTP/HTTPS Network detection plug-in that supports National Security GM-SSL (SM2/SM3/SM4) and standard TLS dual protocols. It is suitable for scenarios where it is necessary to verify the compatibility of national secret TLS, certificate validity and general HTTPS performance.2. Detailed explanation of input parameters
2.1 Core connection parameters
| Parameter name | Type | Required | Default value | Explanation and impact |
|---|---|---|---|---|
url | string | yes | — | Target URL. If it does not start with a protocol header, it will be automatically completed as https://. Determine the target address and protocol type of Request. If you fill in the domain name, DNS resolution will be triggered, and the resolution time will be output as an independent indicator. |
ipVersion | string | no | IPv4 | IP protocol version. Fill in IPv6 to force the use of IPv6 (internally marked as 1); otherwise, IPv4 is used by default. Affects domain name resolution address family, socket creation and connection path. The name must be ipVersion |
method | string | no | GET | HTTP request method (such as GET, POST, PUT). If the settings contain the data parameter, it will be automatically forced to POST, no need to specify it manually. |
2.2 TLS / National Secret Control Parameters
| Parameter name | Type | Required | Default value | Explanation and impact |
|---|---|---|---|---|
mode | integer | no | 0 | Handshake mode selection directly affects the encryption protocol stack behavior: • 0: only uses GM-SSL (national secret). If the target does not support state secrets, the handshake will fail directly. • 1: Automatic switching. Try GM-SSL first and fall back to standard TLS if that fails. Compatibility is the best, but the first handshake may be more time-consuming by trying both protocols. This parameter is the core feature of this plug-in, which determines whether it can communicate with servers that only support national secrets. |
insecure | boolean | no | true | Whether to skip TLS certificate verification. When true does not verify the server certificate chain (similar to curl -k), you can connect to the self-signed certificate service; when false strictly verifies the certificate chain and Host name, failure to verify will trigger the handshake Error. |
cert | string | no | — | Client certificate, PEM format. Used for mutual TLS (mTLS) authentication. Supports multi-line repetition to be passed in to splice the complete certificate chain. After settings sets this parameter, the server can verify the client's identity. |
key | string | no | — | Client private key, PEM format. When paired with cert, it must be settings at the same time. Supports multiple row repetitions. If cert exists but key is missing, an error will be reported during the handshake phase. |
ccert | boolean | no | false | Certificate validity check switch. true, the plug-in will check the NotBefore and NotAfter fields of the server certificate. If the current time is not within the validity period, it will report the certificate expiration Error (699000). |
2.3 Request content parameters
| Parameter name | Type | Required | Default value | Explanation and impact |
|---|---|---|---|---|
data | string | no | — | POST request body content. |
header | string | no | — | Custom HTTP request header. Supports multi-line repetition (one header=Key: Value per line). Can be used to set Content-Type, Authorization, etc. Note that there may be an overwriting relationship with the basic authentication header of username/password. |
username | string | no | — | Basic authentication user name. After settings sets this parameter, the plug-in will automatically generate Authorization: Basic <base64> Request headers. |
password | string | no | — | Basic authentication password. Pair with username. |
2.4 Response verification parameters
| Parameter name | Type | Required | Default value | Explanation and impact |
|---|---|---|---|---|
ctype | integer | no | 0 | Response verification type, determines how to verify the HTTP response body/header: • 0: No check, any response passes. • 1: Response Body equals cvalue (case sensitive). • 2: Response Body contains cvalue (case sensitive). • 3: Response Body matches the cvalue regular expression. • 4: The MD5 of the response Body is equal to cvalue (case insensitive). • 5: The response header contains the key:value pairs specified in cvalue (multiple header fields are separated by CRLF in cvalue). Failure of verification will trigger the corresponding Error code. |
cvalue | string | Condition required | — | Verify expectations. When ctype ≠ 0 it must be settings. Its format and semantics depend on the value of ctype. Supports multi-line splicing (one cvalue=... per line, internally connected with \r\n), which can be used to construct multi-line regular or multi-head field verification. |
3. Parameter association and behavior combination
| Combined scenes | actual behavior |
|---|---|
mode=0 (default) + target only supports standard TLS | GM-SSL Handshake Time failed and the task reported an error (612157 handshake failed). |
mode=1+ targets only support standard TLS | Tried GM-SSL first and failed, automatically fell back to standard TLS and succeeded. The total time taken includes the time of two attempts. |
mode=0 (default) + target supports national secrets | Successfully using GM-SSL, the handshake speed may differ from standard TLS, and the ciphersuite ID is usually 0xe011 or 0xe013. |
data has been settings + method=GET | method is forced to be overwritten as POST, and data is sent as Request body. |
cert has been settings + key has not been settings | The two-way authentication lacks the private key and an error is reported during the TLS handshake phase. |
insecure=true + certificate expired | Even if the certificate expires, the handshake can be successful (because verification is skipped), but ccert=true will still check the validity period separately and may report an error. |
insecure=false + self-signed certificate | The certificate chain verification failed and the handshake error was 612157. |
ctype=4 + cvalue=abcdef | Calculate the MD5 of the response Body and compare it with abcdef (case insensitive). If there is no match, 612275 will be reported. |
ctype=5 + cvalue=Content-Type: application/json | Check whether the response header contains Content-Type: application/json. If it does not match, 612290 will be reported. |
header Multiple lines passed in | Each line is parsed into a Request header, and the format should be Headername: HeaderValue. |
4. Detailed explanation of output indicators
| Stage | Indicator name | Unit | Description |
|---|---|---|---|
0 | Total Download Time | ms | The overall time taken from initiating Request to receiving the complete response. It is the core indicator for measuring end-to-end performance. |
1 | DNS Lookup Time | ms | The time taken to resolve the domain name in host to IP. If using IP direct connection, it is close to 0. |
2 | Connection Establishment Time | ms | The time taken to complete the TCP three-way handshake. Reflects the Network layer direct connection quality to the target server. |
3 | TLS/GM handshake time | ms | The cryptographic handshake is time consuming. Under standard TLS, it is certificate exchange + key negotiation; under GM-SSL, it is the national secret SM2/SM3/SM4 handshake process. This metric is the key figure that differentiates between state-of-the-art and standard TLS performance. |
4 | Request sending time | ms | The time taken to send HTTP request header and body. It may increase when the uplink bandwidth is insufficient or the Body is large. |
5 | Time to First Byte (TTFB) | ms | The time from sending Request to receiving the first response byte. Reflects the response speed of the first packet of Request processed by the server. |
6 | Remaining time to receive | ms | The time after the first byte to completely receive the response Body. Reflects response body size and downstream bandwidth. |
7 | Download Speed | B/s | The average Download Speed of the response Body, calculated as Body bytes / elapsed time after first byte. |
8 | Total Download Bytes | bytes | The total number of bytes of the response body received (excluding HTTP headers). |
9 | Cipher suite ID | integer | The negotiated TLS/GM cipher suite identifier. |
10 | TLS/GM version | integer | The negotiated protocol version identifier. Used to confirm whether it is standard TLS 1.2/1.3 or the national secret GM-SSL version. |
4.3 Error code
| info value | meaning | Trigger condition |
|---|---|---|
612007 | DNS resolution failed | Domain name cannot be resolved to IP. |
612029 | TCP connection failed | The target refused the connection or was unreachable at Network. |
612157 | TLS/SSL Handshake Time failed | Certificate verification failed, protocol mismatch (such as mode=0 national secret but not supported by the target), cipher suite negotiation failed, etc. |
612002 | Request timeout | The overall Request exceeds the timeout set value. |
612272 | Body content check failed | When ctype=1 or ctype=2, the Body does not match cvalue. |
612275 | MD5 check failed | When ctype=4, the MD5 of the Body does not match cvalue. |
612290 | Header check failed | When ctype=5, the response header does not contain the key-value pair specified by cvalue. |
699000 | Certificate expired | When ccert=true, the validity period of the server certificate (NotBefore/NotAfter) does not include the current time. |
6. Detailed explanation of national secret GM-SSL
6.1 Supported national secret suites
| Kit ID | Description |
|---|---|
0xe011 | ECC-SM4-SM3 (SM2 key exchange + SM4 encryption + SM3 digest) |
0xe013 | ECDHE-SM4-SM3 (SM2 temporary key exchange + SM4 encryption + SM3 digest) |
6.2 Comparison of handshake modes
| Mode | Behavior | Applicable scenarios |
|---|---|---|
mode=0 (GM-SSL only) | Only the national secret Client Hello is sent. If it is not supported, it will fail immediately. | Specially tested for national secret compatibility |
mode=1 (automatic switching) | Try GM-SSL first, automatically retry standard TLS on failure | Universal detection, compatible with state secret and non-state secret targets |