Forum Discussion

srjturner's avatar
srjturner
New Member
10 years ago

When will SoapUI support SNI?

We have multiple sites exposed on the same IP and port over TLS, with clients using SNI to indicate which site (which host) they are intending to connect to. When testing APIs with SoapUI the TLS connection always fails with an EOFException / "javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake" immediately after the TLS ClientHello has been sent.

 

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1408226947 bytes = { 229, 169, 205, 153, 227, 0, 211, 234, 26, 193, 23, 125, 62, 146, 219, 236, 214, 160, 20, 8, 16, 244, 245, 229, 78, 204, 55, 117 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA

***

Thread-20, WRITE: TLSv1.2 Handshake, length = 207

Thread-20, received EOFException: error

Thread-20, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

Thread-20, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure

 

The reason seems to be that the ClientHello does not include the SNI server_name extension, so the negotiation fails because the server does not know the intended host.  The problem with SoapUI is that although Java has supported SNI since v7 (2011) it can only be set programatically: 

 

SNIHostName serverName = new SNIHostName("www.example.com");
List<SNIServerName> serverNames = new ArrayList<>(1);
serverNames.add(serverName);
sslParameters.setServerNames(serverNames);

 

http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExtension 

 

Is there any workaround for configuring SNI in SoapUI (e.g. a system property that forces the server_name)? If not, please can you consider adding support for SNI server_name extension either in the global SSL preferences or the project security settings? Thanks.

 

 

  • Hi,

     

    For TLS, in your installation folder in vmoptions file add,

    -Dsoapui.https.protocols=TLSv1.2

     

    Close and open SoapUI pro.

     

    Thanks,
    Jeshtha

    • GeorgesAbitbol's avatar
      GeorgesAbitbol
      Occasional Visitor

      Hello,

       

      Same problem here : SOAPUI (v.5.1.3) does not send "server_name" extension in its client hello message during SSL handshake and therefor SSL connection fails.

       

      Tried to add "-Dsoapui.https.protocols=TLSv1.2" in the VM options file, without success.

       

      Does anyone known how to support this SNI feature with SOAPUI client?

       

      Thank you in advance...

      Georges Abitbol

      • dmitriy_fot's avatar
        dmitriy_fot
        Visitor

        hi,

         

        I am having the same issue. Tried with Java 7 and 8. server_name extension is not set and handshake fails.

        It looks like this JDK bug can be a reason: 

         

        https://bugs.openjdk.java.net/browse/JDK-8072464

         

        SmartBear, could you respond to it, using HTTPS endpoints has become impossible for out tests.

         

        SSL Output:

         

        Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
        Extension ec_point_formats, formats: [uncompressed]
        Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
        ***
        main, WRITE: TLSv1.2 Handshake, length = 193
        main, READ: TLSv1.2 Alert, length = 2
        main, RECV TLSv1.2 ALERT: fatal, handshake_failure
        main, called closeSocket()
        main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        main, called close()
        main, called closeInternal(true)
        11:49:12,051 DEBUG [SoapUIMultiThreadedHttpConnectionManager$SoapUIDefaultClientConnection] I/O error closing connection
        javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

        Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
        Extension ec_point_formats, formats: [uncompressed]
        Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
        ***
        main, WRITE: TLSv1.2 Handshake, length = 193
        main, READ: TLSv1.2 Alert, length = 2
        main, RECV TLSv1.2 ALERT: fatal, handshake_failure
        main, called closeSocket()
        main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        main, called close()
        main, called closeInternal(true)
        11:49:12,051 DEBUG [SoapUIMultiThreadedHttpConnectionManager$SoapUIDefaultClientConnection] I/O error closing connection
        javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

  • Exact same problem here - with SoapUI 5.2.1: 

    server_name is not sent in Client Hello

     

    I need to test against AWS API Gateway, which requires SNI, so that appears to be impossible :-(

     

     

    srjturner already pointed at the bit of code that is missing.

     

    I looked in the source code, and I believe the change needs to be made in either enableSocket or createSocket in SoapUISSLSocketFactory:

     

    https://github.com/SmartBear/soapui/blob/HEAD/soapui/src/main/java/com/eviware/soapui/impl/wsdl/support/http/SoapUISSLSocketFactory.java

     

     

    I'm just hoping... is there a chance that this enhancement could be made any time soon?

     

    Pretty please? :-)