SoapUIEasySSLProtocolSocketFactory ignoring ciphers
SoapUIEasySSLProtocolSocketFactory is ignoring the use of the "soapui.https.ciphers" property on the initial handshake.
Currently the creation of the socket and initial handshake, are delegated to the underlying EasySSLProtocolSocketFactory.createSocket()
The ciphers are only being set on the existing socket, after invalidation of the existing session.
This means that the initial handshake, is not using the ciphers that have been chosen for SoapUI.
To identify this, I used
Expected: the only supported cipher to be SSL_RSA_WITH_RC4_128_MD5.
Actual: the default set of ciphers from getSupportedCipherSuites()
The scenario where this is needed is to test that a server is implementing the correct set of cipher suites.
Based on (business) security policy, they only support a particular set of cipher suites, that meet their security needs.
By setting SoapUI to use a specific set of ciphers, we can determine if the server has been configured correctly.
Currently the creation of the socket and initial handshake, are delegated to the underlying EasySSLProtocolSocketFactory.createSocket()
The ciphers are only being set on the existing socket, after invalidation of the existing session.
private synchronized Socket enableSocket( SSLSocket socket )
{
socket.getSession().invalidate();
String protocols = System.getProperty( "soapui.https.protocols" );
String ciphers = System.getProperty( "soapui.https.ciphers" );
if( StringUtils.hasContent( protocols ) )
{
socket.setEnabledProtocols( protocols.split( "," ) );
}
else if( socket.getSupportedProtocols() != null )
{
socket.setEnabledProtocols( socket.getSupportedProtocols() );
}
if( StringUtils.hasContent( ciphers ) )
{
socket.setEnabledCipherSuites( ciphers.split( "," ) );
}
else if( socket.getSupportedCipherSuites() != null )
{
socket.setEnabledCipherSuites( socket.getSupportedCipherSuites() );
}
return socket;
}
This means that the initial handshake, is not using the ciphers that have been chosen for SoapUI.
To identify this, I used
-Djavax.net.debug=ssl,handshake
-Dsoapui.https.ciphers=SSL_RSA_WITH_RC4_128_MD5
Expected: the only supported cipher to be SSL_RSA_WITH_RC4_128_MD5.
Actual: the default set of ciphers from getSupportedCipherSuites()
LogList Updater for soapUI log, setSoTimeout(86400000) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1302860870 bytes = { 252, 138, 119, 178, 182, 217, 252, 132, 57, 82, 190, 93, 43, 51, 110, 19, 7, 165, 4, 75, 164, 238, 235, 236, 70, 207, 145, 30 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_
CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
LogList Updater for soapUI log, WRITE: TLSv1 Handshake, length = 163
LogList Updater for soapUI log, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1302860868 bytes = { 71, 60, 23, 97, 32, 61, 75, 9, 233, 2, 224, 186, 158, 6, 191, 132, 213, 190, 26, 122, 211, 71, 197, 193, 96, 119, 108, 147 }
Session ID: {186, 124, 219, 21, 138, 22, 131, 251, 207, 65, 126, 117, 122, 206, 208, 115, 32, 55, 105, 251, 137, 141, 2, 75, 217, 163, 143, 143, 15, 170, 233, 47}
Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Initialized: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
** SSL_RSA_WITH_RC4_128_SHA
LogList Updater for soapUI log, READ: TLSv1 Handshake, length = 1431
The scenario where this is needed is to test that a server is implementing the correct set of cipher suites.
Based on (business) security policy, they only support a particular set of cipher suites, that meet their security needs.
By setting SoapUI to use a specific set of ciphers, we can determine if the server has been configured correctly.