Validate Server SSL Certificate Against Soap-UI TrustStore
Dear All, I am trying to create a Soap-UI test which does a call against a server with a verified certificate by the CA (Certificate Authority) of my client. We want to validate this against a truststore in soap-ui to validate if the server certificate is indeed the correct, signed certificate we expect. My problem is that my test always succeeds, I actually want my test to succeed when the server presents a signed certificate, but I want the test to fail if the server presents a self-signed certificate. I have tried this with both SoapUI-5.5.0 as well as ReadyAPI 2.8. I have tried starting SoapUI withSSLv3 and TLS in the vmoptions configuration file. I have ofcourse imported the truststore in SoapUI in "Show Project View" menu, and I have done step 4. from the documentation on page: https://www.soapui.org/soapui-projects/ws-security.html Which I expect links my truststore to the project. I have not changed anything in SSL in the Preferences. On the latter page we also notice that in step 1.9 in the Authentication menu the "Incoming WSS:" selection box can be found in the documentation, but it is not there in our application (Both the SoapUI and ReadyAPI). This menu is also not present after uploading the truststore and finishing step 4.2.2KViews0likes1Commentjavax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate
I am receiving the error:javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate. Background information: ReadyAPI is configured for SSL using Certificate Store with "Use Windows Certificate Store" and Client authentication with "Requires client authentication". Windows certificate store contains 4 valid certificates from a single smart card. All 4 certificates are from the same issuer. Each certificate has a set of "Intended Purpose". Examples: Cert1 - PIV Authentication Cert2 - Time Stamping, Server Auth, Client Auth, Secure Email Cert3 - Secure Email Cert4 - Client Authentication The target webserver is prompting the client for a certificate from a list of authorities. All 4 certificates are valid based on the server requirements. Problem: ReadyAPI is correctly pulling all 4 client certificates from the Windows store. It properly matches them up to only get the ones that meet the requirements of the server. However, not all certificates have the proper intended purpose. The problem is that 4 certificates meet the server requirements and the client is not allowing the user to choose the certificate or match the certificate with the right "intended purpose". In addition, the client does not retry the other 3 certificates. As a result, the client is sending Cert3 (Secure Email) instead of sending Cert1. Is there a way to force the client to choose the right certificate? Or is there a java option that will statically assign the certificate? Here is a snippet from the client log with logging at a high level. javax.net.ssl|DEBUG|05 C0|Thread-84|2020-10-28 14:45:38.494 CDT|CertificateRequest.java:653|Consuming CertificateRequest handshake message ( "CertificateRequest": { "certificate types": [rsa_sign, dss_sign, ecdsa_sign] "supported signature algorithms": [rsa_pkcs1_sha512, dsa_sha512, ecdsa_secp521r1_sha512, rsa_pkcs1_sha384, dsa_sha384, ecdsa_secp384r1_sha384, rsa_pkcs1_sha256, dsa_sha256, ecdsa_secp256r1_sha256, rsa_sha224, dsa_sha224, ecdsa_sha224, rsa_pkcs1_sha1, dsa_sha1, ecdsa_sha1] "certificate authorities": [OU=ABC123, O=XYZ, C=XX, ...] } ) javax.net.ssl|DEBUG|05 C0|Thread-84|2020-10-28 14:45:38.498 CDT|SunX509KeyManagerImpl.java:401|matching alias: Cert2 javax.net.ssl|DEBUG|05 C0|Thread-84|2020-10-28 14:45:38.499 CDT|SunX509KeyManagerImpl.java:401|matching alias: Cert4 javax.net.ssl|DEBUG|05 C0|Thread-84|2020-10-28 14:45:38.499 CDT|SunX509KeyManagerImpl.java:401|matching alias: Cert3 javax.net.ssl|DEBUG|05 C0|Thread-84|2020-10-28 14:45:38.499 CDT|SunX509KeyManagerImpl.java:401|matching alias: Cert1 javax.net.ssl|DEBUG|05 C0|Thread-84|2020-10-28 14:45:38.499 CDT|ServerHelloDone.java:142|Consuming ServerHelloDone handshake message ( ... .... ... javax.net.ssl|ERROR|05 C0|Thread-84|2020-10-28 14:45:43.899 CDT|TransportContext.java:312|Fatal (UNSUPPORTED_CERTIFCATE): Received fatal alert: unsupported_certificate ( "throwable" : { javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307) at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:285) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:180)1.3KViews0likes1CommentSSL Certificate verification missing
Hi Community, I've been trying to get SoapUI 5.5. (OpenSource) to verify and reject my self-signed ssl server certificate for security reasons (self-signed, not trusted), just like other clients do. Where can I switch the behavior between test and live environment? I need the verification enabled. In my case soapui just accepts the connection and does not even notify about any security issues. I have searched the database but didn't find much information. Thanks in advance.3.6KViews0likes10CommentsSet SSL Keystore using Groovy on Test Step level
On the Project Level i have setup the Keystore. Now i want to be able to Select this on Test Step Level using Groovy. In the Step : Select SSL on Test Step i wrote a groovy to do the same but it is failing. import com.eviware.soapui.impl.rest.RestMethod import com.eviware.soapui.impl.rest.RestRequestInterface.HttpMethod import com.eviware.soapui.impl.rest.RestResource import com.eviware.soapui.impl.wsdl.support.wss.WssCrypto import com.eviware.soapui.impl.wsdl.teststeps.RestTestRequestStep import com.eviware.soapui.impl.wsdl.support.wss.crypto.CryptoType def step = testRunner.testCase.testSteps['GET - TEST'].testRequest log.info step.getSslKeystore() // This step works fine and reads the Keystore Selected on the Test Step (if any) step.setSslKeystore( 'keystore.jks') // This step does not work and gives error message Error : groovy.lang.MissingMethodException: No signature of method: com.eviware.soapui.impl.wsdl.teststeps.RestTestRequest.setSslKeystore() is applicable for argument types: (java.lang.String) values: [keystore.jks] Possible solutions: setSslKeystore(com.eviware.soapui.impl.wsdl.support.wss.WssCrypto), getSslKeystore() error at line: 13 Please note that my tests require for me to be able to select & deselect the SSL Keystore for a test step dynamically (through groovy) based on the environment i am running my tests on .. (for ex : QA , UAT etc)Solved5KViews0likes8CommentsHow to change the TLS version SoapUI uses for MQTT
Hi everyone, I am currently trying to get a "Receive MQTT Message"-TestStep to work which always runs into a timeout. After checking all URLs, ports and changing vmoptions to use TLS 1.2 I still had no success. I found an issue on Github that seems to describe a possible solution for my problem: https://github.com/eclipse/paho.mqtt.java/issues/309 Here the SocketFactory that is required for the MqttClient has been created with "TLSv1". According to the issuer of that ticket changing it to "TLSv1.2" fixed his problem. I took a look into the source code for the MQTT plugin by SmartBear (https://github.com/SmartBear/ready-mqtt-plugin/blob/master/src/main/java/com/smartbear/mqttsupport/connection/ssl/SSLCertsHelper.java) and noticed that "TLSv1" seems to be hardcoded: SSLContext context = SSLContext.getInstance("TLSv1"); Does anyone know if this means that MQTT will always use TLSv1 even if I changed my vmoptions to use TLSv1.2 ? I tried recompiling this plugin after changing TLS to "TLSv1.2" in the code but just replacing it does not seem to work as all testSteps (not only MQTT) are missing afterwards. Best regards Max736Views0likes0CommentsSOAP Envelope can not have children other than SOAP Header and Body when calling HTTPS service
I have an HTTPS SOAP service that I'm trying to call via SoapUI. My request looks like this: <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:urn="urn:com-softwareag-entirex-rpc:RSSA"> <soap:Header/> <soap:Body> <urn:RSSA000S/> </soap:Body> </soap:Envelope> however the response I always get back is: <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"> <soapenv:Body> <soapenv:Fault> <soapenv:Code> <soapenv:Value>Sender</soapenv:Value> </soapenv:Code> <soapenv:Reason> <soapenv:Text xml:lang="en-US">SOAP Envelope can not have children other than SOAP Header and Body</soapenv:Text> </soapenv:Reason> <soapenv:Detail/> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope> I'm not sure why this is. Even when I remove the urn:RSSA000S child, the error is the same. Advice is appreciated.704Views0likes0CommentsHow do I enable SSL in TestComplete
I am trying to enable SSL in TestComplete but I am stuck. Note: We are not using ReadyAPI nor are we using SOAPUI for generating our tests. Although I do have both working with SSL enabled. The direction of our development is through TestComplete and we are not using the ReadyAPI or Webservices module within TC. I am able to set up the aqHTTP authentication on each service but I am stuck and how to use and get access to the local Certificate. Suggestions or comments?2.2KViews0likes5CommentsLack of secure connection for repository
I had asked via twitter awhile back if your URLhttp://smartbearsoftware.com/repository/maven2/ had an equivalent secure address. I was told no. I work at large company that utilizes many of your libraries. We would request that you buy a certificate and setup secure connection for downloads. As a bonus, it would be even better if every download had a file hash that we can compare against after downloading to make sure we received a legit copy. The first part of request wouldn't take much time at all, and will begin a great start at providing secure downloads of all your libraries. Thoughts Smartbear people? Thanks!Solved3.1KViews0likes3Comments