Forum Discussion

rxwcheer's avatar
rxwcheer
Occasional Contributor
10 years ago

How do I add a Cipher string to an HTTP Request?

We need to test SSL protocol support on our website and need to control the cipher strings being presented in our HTTP requests. How do we do this. Thank you.

  • rxwcheer's avatar
    rxwcheer
    10 years ago

    I am working directly with SmartBear support on this question and they are providing valuable insight.

    My first observation is that the SOAPUI/Ready! API application does not provide control of the Cipher string at the request level. The Cipher string is set globally during startup.

    Second: The SOAPUI/Ready! API application provides support for ciphers based on OpenSSL. The cipher suite names may be found on the OpenSSL support site. http://www.openssl.org/docs/apps/ciphers.html

    Third: SOAPUI/Ready! API application provides us with several methods of starting the application. The Windows start menu, command line execution and batch files are all available. The Windows start menu startup used the SoapUI-5.1.3.vmoptions/ReadyAPI-1.3.0.vmoptions file. The batch file startup use soapui.bat/ready-api.bat. This design provides us with the ability to create multiple configurations via the use of numerous iterations of these configuration/startup files.

    Fourth: The JVM option -Dsoapui.https.protocols provides management of the SSL protocol list. This option controls which SSL protocols are available when negiating the initial HTTPS connection between the client and the server.

    Fifth: The JVM option -Dsoapui.https.ciphers directs the SOAPUI/Ready! API application to use the OpenSSL cipher string when sending the request to the server.

    Sixth: The JAVA JRE which is included with the SOAPUI/Ready! API application does not include the "unlimited" version of the JCE; JAVA Cryptography Extensions. You will need to acquire the current version of the JCE from Oracle to expand the list of potential cipher strings to include all possibilites. Information related to the JAVA JCE may be found at this URL. http://www.oracle.com/technetwork/java/javase/overview/index.html

     

    Summary: Addition of the following JVM options to the appropriate configuration file will provide you with the ability to control the cipher string and SSL protocol used by the SOAPUI/Ready! API application.

     

    -Dsoapui.https.protocols=<TLSv1.2, TLSv1, SSLv3>
    -Dsoapui.https.ciphers=<cipher suite name>

     

  • Where do you want to add the cipher string, body or header? It's fairly easy to add strings but you need to supply some more information about the hows and wheres.

    • rxwcheer's avatar
      rxwcheer
      Occasional Contributor

      The cipher string we need to apply is directed toward the SSL/TLS protocol and the initial connection setup. We need to be able to manipulate the SSLv2, SSLv3, and TLSv1.2 protocols to verify compliance. As many of you know the SSLv2 and SSLv3 protocols have been deamed insecure and have been depricated. Our current test tool does not support any TLS connectivity, so we are researching the use of SOAPUI. Thank you.

      • Armageddonsoft's avatar
        Armageddonsoft
        Contributor

        Not sure if this is what you are looking for but you can set up SSL authentication in the SoapUI preferences (click File => Preferences) here:

         

        Capture.JPG