rxwcheer
Occasional Contributor
Joined 10 years ago
User Profile
User Widgets
Contributions
How do we enumerate the values avaialable in the soapui.https.ciphers JVM option?
We are attempting to validate several TLS and SSLv3 cipher strings in SOAPUI v5.2.0. We have entered several values which are listed as valid on the OpenSSL support pages. When we attempt to send our messages in SOAPUI we recieve a message stating that the cipher is not valid. ***************************************** 05:42:02,543 ERROR [SoapUI] An error occurred [Unsupported ciphersuite TLS_ECDHE _RSA_WITH_AES_128_GCM_SHA256], see error log for details 05:42:02,583 DEBUG [SoapUIMultiThreadedHttpConnectionManager$SoapUIDefaultClient Connection] Connection shut down 05:42:02,586 ERROR [WsdlSubmit] Exception in request: java.lang.IllegalArgumentE xception: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 05:42:02,587 ERROR [SoapUI] An error occurred [Unsupported ciphersuite TLS_ECDHE _RSA_WITH_AES_128_GCM_SHA256], see error log for details 05:42:02,597 INFO [AbstractHttpRequestDesktopPanel] Error getting response for [.SOAP12:INT.276RT]; java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ***************************************** We have updated the JCE within the SOAPUI JRE to include the unlimited version of the JCE. We understand that the version of openSSL used by SOAPUI does in theory support the cipher string we are attempting to use. Here is the white list of cipher strings we are attempting to validate. We know that the ECDHE-RSA-AES128-SHA string works, but it appears that the GCM and ECDSA versions do not. The same is true for the DHE and DSS. ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSAAES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-DSS-AES128-GCM-SHA256 kEDH+AESGCM ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA256 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA DHE-RSAAES256-SHA Is there any way to extract a list of valid ciphers and/or the version of OpenSSL embedded in SOAPUI. Any assistance would be greatly appreciated. Russ1.8KViews0likes1CommentRe: How do I add a Cipher string to an HTTP Request?
Additional notes to clarify these settings. When selecting the protocol and cipher options you will need to select valid combinations. There isn't any pre-processing of the protocol and cipher options which would let you know in advance whether you have an invalid combination. I use the http://www.openssl.org/docs/apps/ciphers.html#CIPHER-SUITE-NAMES section to determine the correct combination. The correct syntax for the <cipher suite name> is represented by the left hand column of the Cipher Suite Names table. The example below represents a TLSv1.2 protocol cipher for AES256-SHA256. -Dsoapui.https.ciphers=TLS_RSA_WITH_AES_256_CBC_SHA2565.6KViews1like0CommentsRe: SSL Cipher setup
Additional notes to clarify these settings. When selecting the protocol and cipher options you will need to select valid combinations. There isn't any pre-processing of the protocol and cipher options which would let you know in advance whether you have an invalid combination.I use the http://www.openssl.org/docs/apps/ciphers.html#CIPHER-SUITE-NAMES section to determine the correct combination. The correct syntax for the <cipher suite name> is represented by the left hand column of the Cipher Suite Names table. The example below represents a TLSv1.2 protocol cipher for AES256-SHA256. -Dsoapui.https.ciphers=TLS_RSA_WITH_AES_256_CBC_SHA2563.3KViews1like0CommentsRe: How to enable TLS 1.2 in SoapUI
Additional notes to clarify these settings. When selecting the protocol and cipher options you will need to select valid combinations. There isn't any pre-processing of the protocol and cipher options which would let you know in advance whether you have an invalid combination. I use the http://www.openssl.org/docs/apps/ciphers.html#CIPHER-SUITE-NAMES section to determine the correct combination. The correct syntax for the <cipher suite name> is the represented by the left hand column of the Cipher Suite Names table. The example below represents a TLSv1.2 protocol cipher for AES256-SHA256. -Dsoapui.https.ciphers=TLS_RSA_WITH_AES_256_CBC_SHA256283KViews1like0CommentsRe: SSL Cipher setup
I am working directly with SmartBear support on this question and they are providing valuable insight. My first observation is that the SOAPUI/Ready! API application does not provide control of the Cipher string at the request level. The Cipher string is set globally during startup. Second: The SOAPUI/Ready! API application provides support for ciphers based on OpenSSL. The cipher suite names may be found on the OpenSSL support site. http://www.openssl.org/docs/apps/ciphers.html Third: SOAPUI/Ready! API application provides us with several methods of starting the application. The Windows start menu, command line execution and batch files are all available. The Windows start menu startup used the SoapUI-5.1.3.vmoptions/ReadyAPI-1.3.0.vmoptions file. The batch file startup use soapui.bat/ready-api.bat. This design provides us with the ability to create multiple configurations via the use of numerous iterations of these configuration/startup files. Fourth: The JVM option -Dsoapui.https.protocols provides management of the SSL protocol list. This option controls which SSL protocols are available when negiating the initial HTTPS connection between the client and the server. Fifth: The JVM option -Dsoapui.https.ciphers directs the SOAPUI/Ready! API application to use the OpenSSL cipher string when sending the request to the server. Sixth: The JAVA JRE which is included with the SOAPUI/Ready! API application does not include the "unlimited" version of the JCE; JAVA Cryptography Extensions. You will need to acquire the current version of the JCE from Oracle to expand the list of potential cipher strings to include all possibilites. Information related to the JAVA JCE may be found at this URL. http://www.oracle.com/technetwork/java/javase/overview/index.html Summary: Addition of the following JVM options to the appropriate configuration file will provide you with the ability to control the cipher string and SSL protocol used by the SOAPUI/Ready! API application. -Dsoapui.https.protocols=<TLSv1.2, TLSv1, SSLv3> -Dsoapui.https.ciphers=<cipher suite name>3.4KViews1like1CommentRe: How to enable TLS 1.2 in SoapUI
I am working directly with SmartBear support on this question and they are providing valuable insight. My first observation is that the SOAPUI/Ready! API application does not provide control of the Cipher string at the request level. The Cipher string is set globally during startup. Second: The SOAPUI/Ready! API application provides support for ciphers based on OpenSSL. The cipher suite names may be found on the OpenSSL support site. http://www.openssl.org/docs/apps/ciphers.html Third: SOAPUI/Ready! API application provides us with several methods of starting the application. The Windows start menu, command line execution and batch files are all available. The Windows start menu startup used the SoapUI-5.1.3.vmoptions/ReadyAPI-1.3.0.vmoptions file. The batch file startup use soapui.bat/ready-api.bat. This design provides us with the ability to create multiple configurations via the use of numerous iterations of these configuration/startup files. Fourth: The JVM option -Dsoapui.https.protocols provides management of the SSL protocol list. This option controls which SSL protocols are available when negiating the initial HTTPS connection between the client and the server. Fifth: The JVM option -Dsoapui.https.ciphers directs the SOAPUI/Ready! API application to use the OpenSSL cipher string when sending the request to the server. Sixth: The JAVA JRE which is included with the SOAPUI/Ready! API application does not include the "unlimited" version of the JCE; JAVA Cryptography Extensions. You will need to acquire the current version of the JCE from Oracle to expand the list of potential cipher strings to include all possibilites. Information related to the JAVA JCE may be found at this URL. http://www.oracle.com/technetwork/java/javase/overview/index.html Summary: Addition of the following JVM options to the appropriate configuration file will provide you with the ability to control the cipher string and SSL protocol used by the SOAPUI/Ready! API application. -Dsoapui.https.protocols=<TLSv1.2, TLSv1, SSLv3> -Dsoapui.https.ciphers=<cipher suite name>283KViews2likes1CommentRe: How do I add a Cipher string to an HTTP Request?
I am working directly with SmartBear support on this question and they are providing valuable insight. My first observation is that the SOAPUI/Ready! API application does not provide control of the Cipher string at the request level. The Cipher string is set globally during startup. Second: The SOAPUI/Ready! API application provides support for ciphers based on OpenSSL. The cipher suite names may be found on the OpenSSL support site. http://www.openssl.org/docs/apps/ciphers.html Third: SOAPUI/Ready! API application provides us with several methods of starting the application. The Windows start menu, command line execution and batch files are all available. The Windows start menu startup used the SoapUI-5.1.3.vmoptions/ReadyAPI-1.3.0.vmoptions file. The batch file startup use soapui.bat/ready-api.bat. This design provides us with the ability to create multiple configurations via the use of numerous iterations of these configuration/startup files. Fourth: The JVM option -Dsoapui.https.protocols provides management of the SSL protocol list. This option controls which SSL protocols are available when negiating the initial HTTPS connection between the client and the server. Fifth: The JVM option -Dsoapui.https.ciphers directs the SOAPUI/Ready! API application to use the OpenSSL cipher string when sending the request to the server. Sixth: The JAVA JRE which is included with the SOAPUI/Ready! API application does not include the "unlimited" version of the JCE; JAVA Cryptography Extensions. You will need to acquire the current version of the JCE from Oracle to expand the list of potential cipher strings to include all possibilites. Information related to the JAVA JCE may be found at this URL. http://www.oracle.com/technetwork/java/javase/overview/index.html Summary: Addition of the following JVM options to the appropriate configuration file will provide you with the ability to control the cipher string and SSL protocol used by the SOAPUI/Ready! API application. -Dsoapui.https.protocols=<TLSv1.2, TLSv1, SSLv3> -Dsoapui.https.ciphers=<cipher suite name>5.8KViews1like1CommentRe: How do I add a Cipher string to an HTTP Request?
The cipher string we need to apply is directed toward the SSL/TLS protocol and the initial connection setup. We need to be able to manipulate the SSLv2, SSLv3, and TLSv1.2 protocols to verify compliance. As many of you know the SSLv2 and SSLv3 protocols have been deamed insecure and have been depricated. Our current test tool does not support any TLS connectivity, so we are researching the use of SOAPUI. Thank you.6KViews0likes3Comments