Forum Discussion

charlesfradley's avatar
charlesfradley
Contributor
9 years ago

Is there a "trust certificates" setting in the free version of SoapUI ?

Greetings,

 

In the Ready-API / SoapUI-NG-Pro tool there is a setting under "Interla Browser" option to "Trust Self Signed Certificate".

 

Is there such a "trust certificate" setting in the Open Source version of SoapUI ?   I cannot find any setting for Internal Browser on SoapUI-v5.2.1   Thanks.  CFR

  • rupert_anderson's avatar
    rupert_anderson
    Valued Contributor

    Hi,

     

    If you mean in terms of trusting server certificates then SoapUI is overridden to trust all certificates, I don't think there is a way to toggle this.

     

    If you need more details let me know,

    Regards,

    Rupert

     

    • charlesfradley's avatar
      charlesfradley
      Contributor

       

      The behavior I am seeing is different, specifically, the Open Source SoapUI is NOT trusting self signed certificates, this is apparent when trying to perform Oauth 2.0 authentication.

       

      I encountered the same problem in the Pro Ready-API, but solved it there by changing the Internal Browser setting to trust self signed certificates.

       

      In the Open Source  Version, the SoapUI Internal Browser  is not trusting the certificates and the internal browser is not able to open the authentication page.

       

      Thanks,

       

      CFR.

       

      • rupert_anderson's avatar
        rupert_anderson
        Valued Contributor

        Hi CFR,

         

        OK, no problem. My remark was regarding consuming a web service over HTTPS. In this case there is a custom SSLSocketFactory (SoapUISSLSocketFactory) that has been written to override the checkServerTrusted methods to do nothing. You can check this in the Git repository for the open source version:

           // trust everyone!
                X509TrustManager tm = new X509TrustManager() {
                    @Override
                    public X509Certificate[] getAcceptedIssuers() {
                        return null;
                    }
        
                    @Override
                    public void checkClientTrusted(X509Certificate[] certs, String authType) {
                    }
        
                    @Override
                    public void checkServerTrusted(X509Certificate[] certs, String authType) {
                    }
                };

        But this does not sound related to the browser part of the OAuth authentication functionality.

         

        Thanks,

        Rupert