The behavior I am seeing is different, specifically, the Open Source SoapUI is NOT trusting self signed certificates, this is apparent when trying to perform Oauth 2.0 authentication.
I encountered the same problem in the Pro Ready-API, but solved it there by changing the Internal Browser setting to trust self signed certificates.
In the Open Source Version, the SoapUI Internal Browser is not trusting the certificates and the internal browser is not able to open the authentication page.
Thanks,
CFR.
Hi CFR,
OK, no problem. My remark was regarding consuming a web service over HTTPS. In this case there is a custom SSLSocketFactory (SoapUISSLSocketFactory) that has been written to override the checkServerTrusted methods to do nothing. You can check this in the Git repository for the open source version:
// trust everyone!
X509TrustManager tm = new X509TrustManager() {
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
@Override
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
};
But this does not sound related to the browser part of the OAuth authentication functionality.
Thanks,
Rupert
Hi Rupert, regarding the custom SSLSocketFactory, does this relate to a java library somewhere which would need to be edited ? So far I have avoided getting involved with editing SoapUI java code .....
We are having a lot of trouble understanding why this is so difficult to do in the soapUI free version, up until now we have been using Postman where this can be done very easily .... it is making it difficult for me to persuade people to migrate from Postman to SoapUI.
Of course we could purchase morel licenses to the professional version, where this problem does not exist.
So far the low level of support we are receiving for the licensed testserver product is not encouraging us to buy more licenses.
Smartbear claim they support Oauth 2.0, but that is not entirely accurate.
Hi Charles,
After seeing the emphasis of your post is about SoapUI not trusting self-signed certificates, I think my point about the custom SSLSocketFactory night be unrelated. The purpose of the overrides made in that custom SSLSocketFactory are to make SoapUI (acting as the client) trust all server certificates by not checking the validity of the server's certificate in SoapUI's truststore. Whereas the problem you're facing sounds like it is OAuth 2 related and to do with SoapUI not trusting your server's certificate?
Is there any specific error? I think I have only used SoapUI OAuth 2 functionality to test commercial APIs that are backed by a trusted CA e.g. verisign etc, maybe its a bug in the case of self-signed certificates as you say?
Regards,
Rupert
