Ask a Question
Log In / Sign Up
Resources
Ask a Question
Log In Sign Up

When will SoapUI support SNI?

srjturner
New Member
‎02-27-2015 01:21 PM
‎02-27-2015 01:21 PM

When will SoapUI support SNI?

We have multiple sites exposed on the same IP and port over TLS, with clients using SNI to indicate which site (which host) they are intending to connect to. When testing APIs with SoapUI the TLS connection always fails with an EOFException / "javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake" immediately after the TLS ClientHello has been sent.

 

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1408226947 bytes = { 229, 169, 205, 153, 227, 0, 211, 234, 26, 193, 23, 125, 62, 146, 219, 236, 214, 160, 20, 8, 16, 244, 245, 229, 78, 204, 55, 117 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA

***

Thread-20, WRITE: TLSv1.2 Handshake, length = 207

Thread-20, received EOFException: error

Thread-20, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

Thread-20, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure

 

The reason seems to be that the ClientHello does not include the SNI server_name extension, so the negotiation fails because the server does not know the intended host.  The problem with SoapUI is that although Java has supported SNI since v7 (2011) it can only be set programatically: 

 

SNIHostName serverName = new SNIHostName("www.example.com");
List<SNIServerName> serverNames = new ArrayList<>(1);
serverNames.add(serverName);
sslParameters.setServerNames(serverNames);

 

http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExtension 

 

Is there any workaround for configuring SNI in SoapUI (e.g. a system property that forces the server_name)? If not, please can you consider adding support for SNI server_name extension either in the global SSL preferences or the project security settings? Thanks.

 

 

5 REPLIES 5
JKambli
Staff
Staff
‎03-03-2015 12:50 PM
‎03-03-2015 12:50 PM

Hi,

 

For TLS, in your installation folder in vmoptions file add,

-Dsoapui.https.protocols=TLSv1.2

 

Close and open SoapUI pro.

 

Thanks,
Jeshtha


Did my reply answer your question? Give Kudos or Accept it as a Solution to help others. ⬇️⬇️⬇️
0 Kudos
GeorgesAbitbol
Occasional Visitor
In response to JKambli
‎06-26-2015 08:03 AM
‎06-26-2015 08:03 AM

Hello,

 

Same problem here : SOAPUI (v.5.1.3) does not send "server_name" extension in its client hello message during SSL handshake and therefor SSL connection fails.

 

Tried to add "-Dsoapui.https.protocols=TLSv1.2" in the VM options file, without success.

 

Does anyone known how to support this SNI feature with SOAPUI client?

 

Thank you in advance...

Georges Abitbol

0 Kudos
dmitriy_fot
Visitor
In response to GeorgesAbitbol
‎06-07-2016 03:10 AM
‎06-07-2016 03:10 AM

hi,

 

I am having the same issue. Tried with Java 7 and 8. server_name extension is not set and handshake fails.

It looks like this JDK bug can be a reason: 

 

https://bugs.openjdk.java.net/browse/JDK-8072464

 

SmartBear, could you respond to it, using HTTPS endpoints has become impossible for out tests.

 

SSL Output:

 

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
main, WRITE: TLSv1.2 Handshake, length = 193
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
11:49:12,051 DEBUG [SoapUIMultiThreadedHttpConnectionManager$SoapUIDefaultClientConnection] I/O error closing connection
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
main, WRITE: TLSv1.2 Handshake, length = 193
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
11:49:12,051 DEBUG [SoapUIMultiThreadedHttpConnectionManager$SoapUIDefaultClientConnection] I/O error closing connection
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

FreeWillaert
New Contributor
‎06-12-2016 07:28 AM
‎06-12-2016 07:28 AM

Exact same problem here - with SoapUI 5.2.1: 

server_name is not sent in Client Hello

 

I need to test against AWS API Gateway, which requires SNI, so that appears to be impossible 😞

 

 

@srjturner already pointed at the bit of code that is missing.

 

I looked in the source code, and I believe the change needs to be made in either enableSocket or createSocket in SoapUISSLSocketFactory:

 

https://github.com/SmartBear/soapui/blob/HEAD/soapui/src/main/java/com/eviware/soapui/impl/wsdl/supp...

 

 

I'm just hoping... is there a chance that this enhancement could be made any time soon?

 

Pretty please? 🙂

0 Kudos
FreeWillaert
New Contributor
In response to FreeWillaert
‎06-12-2016 07:40 AM
‎06-12-2016 07:40 AM

Update: There's a PR for adding SNI support: https://github.com/SmartBear/soapui/pull/211

BUT as I understand it, the solution provided there is not correct.

 

The solution referenced here (above) seems to be the way to go.

0 Kudos
Subscribe
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: