10

I need to test web service that is being deployed to pre-release environment that is deployed on HTTPS endpoint. Unfortunatelly SoapUI fails with SSLPeerUnverifiedException: peer not authenticated exception. I used both versions 4.6.4 and very fresh 5.0.

Env:

endpoint is https, startcom certificate, network uses proxy (but same issue without proxy with different network)

I have spent many hours, maybe a day googling for a solution. Especially this link looked promising: https://forum.soapui.org/viewtopic.php?f=13&t=20866

I extracted endpoint certificate via firefox and let it trust. So I modified cacerts from soapui JVM installation:

..\SoapUI-4.6.4\jre\lib\security>keytool -import -alias HOSTNAME 
-file endpoint.crt -keystore cacerts -storepass changeit

Restart and then retested - fail.

Then I took different approach and let SoapUI JVM trust all StartCom certificates.

keytool -import -trustcacerts -alias startcom.ca -file ca.crt -keystore cacerts
keytool -import -alias startcom.ca.sub -file sub.class1.server.ca.crt -keystore cacerts

Restart and failed again. What else shall I do now?

EDIT

2014-05-30 08:39:53,782 ERROR [errorlog] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:446)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:499)
at com.eviware.soapui.impl.wsdl.support.http.SoapUISSLSocketFactory.createLayeredSocket(SoapUISSLSocketFactory.java:268)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.updateSecureConnection(DefaultClientConnectionOperator.java:200)
at org.apache.http.impl.conn.AbstractPoolEntry.layerProtocol(AbstractPoolEntry.java:277)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.layerProtocol(AbstractPooledConnAdapter.java:142)
at org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultRequestDirector.java:758)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:565)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
at com.eviware.soapui.impl.wsdl.support.http.HttpClientSupport$Helper.execute(HttpClientSupport.java:238)
at com.eviware.soapui.impl.wsdl.support.http.HttpClientSupport.execute(HttpClientSupport.java:348)
at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.submitRequest(HttpClientRequestTransport.java:318)
at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.sendRequest(HttpClientRequestTransport.java:232)
at com.eviware.soapui.impl.wsdl.WsdlSubmit.run(WsdlSubmit.java:123)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

SSL debug:

adding as trusted cert:
Subject: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Issuer:  CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Algorithm: RSA; Serial number: 0x1
Valid from Sun Sep 17 21:46:36 CEST 2006 until Wed Sep 17 21:46:36 CEST 2036

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Thread-20, WRITE: TLSv1 Handshake, length = 186
Thread-20, READ: TLSv1 Alert, length = 2
Thread-20, RECV TLSv1 ALERT:  warning, unrecognized_name
SSL - handshake alert: unrecognized_name
Thread-20, handling exception: javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
Thread-20, SEND TLSv1 ALERT:  fatal, description = unexpected_message
Thread-20, WRITE: TLSv1 Alert, length = 2
Thread-20, called closeSocket()
Thread-20, IOException in getSession():  javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
09:16:12,482 ERROR [WsdlSubmit] Exception in request: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Leos Literak
  • 8,805
  • 19
  • 81
  • 156

7 Answers7

17

Ok, the fix for this problem is to set

-Djsse.enableSNIExtension=false

in $SOAPUI_HOME/bin/soapui.bat

The reason is described in this answer: https://stackoverflow.com/a/14884941/1639556

Digest:

Java 7 introduced SNI support which is enabled by default. I have found out that certain misconfigured servers send an "Unrecognized Name" warning in the SSL handshake which is ignored by most clients... except for Java.

Update: for SoapUI 5.2.1 I had to alter a file SoapUI-5.2.1.vmoptions because modifying bat file did not help.

Community
  • 1
  • 1
Leos Literak
  • 8,805
  • 19
  • 81
  • 156
  • Thanks. Your mention of soapui.bat was a key. I have not been aware I can alter JVM parameters. – Leos Literak May 30 '14 at 07:56
  • I have the same problem and try to fix it with "%JAVA%" -Djsse.enableSNIExtension=false %JAVA_OPTS% com.eviware.soapui.SoapUI %* but I still have the exception. Is my modification of soapui.bat ok? I use it on windows. Thanks. – Jérémie Bertrand Jul 11 '14 at 09:33
  • 1
    This didn't work for me with SoapUI-5.1.3 on Windows 10 – nl-x Sep 08 '16 at 15:45
  • SoapUI is terrible trash. It does not use the `SoapUI-*.vmoptions` file, even though it creates it during installation. The only way to modify the arguments passed to the JVM is to edit the `soapui.bat` file. – Ian Kemp Aug 20 '20 at 16:11
6

For anybody using a Mac looking for the same answer (sorry, it won't let me comment on the selected answer as I don't have enough reputation points yet to Comment !!!). Editing soapui.sh won't have any impact if you are launching the App by clicking the icon in your Applications folder or using Spotlight.

/Applications/SoapUI-5.0.0.app/Contents

Edit vmoptions.txt and add -Dcom.sun.net.ssl.checkRevocation=false to the bottom of the file.. Save and re-launch.

bawinnicki
  • 61
  • 1
  • 1
5

I think that you're doing the things good. If you load the server certificate on your truststore the connection must works, maybe something is happening like for example a redirect. If you want you can try to disable the SSL server certificate validation. If you use a SOAPUI standalone version edit the $SOAPUI_HOME/bin/soapui.bat or $SOAPUI_HOME/bin/soapui.sh and add this parameter -Dcom.sun.net.ssl.checkRevocation=false as java option:

soapui.bat

set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.net.ssl.checkRevocation=false

soapui.sh

JAVA_OPTS="$JAVA_OPTS -Dcom.sun.net.ssl.checkRevocation=false"

Hope this helps,

albciff
  • 18,112
  • 4
  • 64
  • 89
  • Thanks. I tried your answer but it did not help. I verified that the property is set in Help/System properties. – Leos Literak May 30 '14 at 06:34
  • After set this property you are getting the same errror? Can you share the complete stacktrace? – albciff May 30 '14 at 06:46
  • Attached to the question – Leos Literak May 30 '14 at 06:53
  • This didn't work for me with SoapUI-5.1.3 on Windows 10. Connection gets reset – nl-x Sep 08 '16 at 15:52
  • @nl-x this is an old response for another SoapUI, OS and probably java version. With the comment details it's hard to see what happen for your case. Consider to post a new question with more details soapui version, java version, os and a stack trace, this way it'll be more easy to get help :) – albciff Sep 09 '16 at 06:12
2

If you are using a proxy, try bypassing the same (via ProxySettings is SoapUI Preferences)

NevinJ
  • 61
  • 3
2

Also make sure you are not running Fiddler, which will try to act as a proxy to any requests made by SoapUI. If you want to make it work with Fiddler, you need to add the Fiddler root certificate to your Java trust store.

See also: SoapUI not working with fiddler for REST service testing

Community
  • 1
  • 1
sudoqux
  • 2,358
  • 1
  • 14
  • 15
2

I was also getting following message:

Error getting response; javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

The issue I had was only when going via a proxy server. Connected directly to Internet without a proxy was working.

I tried all these solutions, and none were working.

I even tried to add the trusted CA certificates in a Java key store under WS-Security-Configurations -> Truststores and was still getting the rror.

I upgraded to SoapUI 5.2.1 and issue is now resolved.

It might be worth it for you to try it out.

Leos Literak
  • 8,805
  • 19
  • 81
  • 156
StephaneD
  • 21
  • 1
0

I tried using both the -Dcom.sun.net.ssl.checkRevocation=false and -Djsse.enableSNIExtension=false options, neither of which appear to work.

What did work was importing the certificate into SoapUI's certificate store. I know the asker specified they've already done this, but it's not clear which cert store SoapUI actually chooses to use.

I was able to import the cert and have it used by doing the following:

  1. Ensure SoapUI is closed.
  2. Download Keystore Explorer from http://keystore-explorer.org/downloads.html (use the "All" version that is standalone) and extract it somewhere.
  3. Run Keystore Explorer from an Administrator Command Prompt and using the bundled SoapUI JVM:
C:\> "C:\Program Files\SmartBear\SoapUI-5.6.0\jre\bin\java.exe" -jar "path\to\kse.jar"
  1. In Keystore Explorer, click "Open the CA Certificates Keystore".
  2. Now go to Examine > Examine SSL, input the URL of your server, click OK to view the "Certificate Details" dialog.
  3. Click the Import button and enter whatever alias you want, click OK.
  4. You should get a dialog stating "Trusted Certificate Import Successful", click OK to dismiss it. Then click OK again to dismiss the "Certificate Details" dialog.
  5. Press Ctrl+S or click the "Save" icon to update the root certificate store. Exit Keystore Explorer.
  6. Run SoapUI and it should no longer fail miserably.

In closing, SoapUI is terrible software and you should try to avoid it if at all possible. But this is common to most Java applications.

Ian Kemp
  • 28,293
  • 19
  • 112
  • 138