0

Recently we secured our servers with SSL v1.2. We have a SOAP web-service and many endpoints are exposed on it. The endpoints were used to be called/tested with SOAP-UI 5.6.0 with no issues when SSL was not enabled, but now when we call it throws:

ERROR:javax.net.ssl.SSLException: Received fatal alert: record_overflow

The only workaround we came across was downloading SOAP-UI 5.5.0 and using it since it has no issues calling SSL-enabled web-services.

I also checked similar question here but unfortunately there is no solid answer on it.

Any idea about the reason is highly appreciated.

Ali K. Nouri
  • 495
  • 5
  • 18
  • 1
    SoapUI upgraded the version of Apache HttpComponents used though I couldn't find which version it was upgraded to. You didn't say what SSL protocols your endpoint supports but this answer has a reasonable solution even if you're not using Java 11 or 12. I would go further and limit the protocols to TLS v1.1 and v1.2 (i.e. don't support SSLv3 because it's not secure). https://stackoverflow.com/a/56211107/185034 – Paul Oct 08 '20 at 15:48
  • 2
    _Exactly_ what versions of Java? [There was a bug](https://bugs.openjdk.java.net/browse/JDK-8221253) reported fixed in 11.0.5 and 8u261. @Paul: avoiding 1.3 may help, but 8 only has 1.3 in 8u261 and it is reported fixed. Although you don't want SSLv3, no action or even care is needed: all Oracle and OpenJDK releases since 2014 have SSLv3 disabled in JSSE and the API (alone) can't reenable it. TLS1.0 could be more of an issue; some standards (like PCI DSS) forbid it, but JSSE doesn't as of now. – dave_thompson_085 Oct 09 '20 at 02:05
  • Thanks @Paul and dave_thompson_085 It was my bad, the protocol was v1.3 and I will change the protocol and update the ticket. – Ali K. Nouri Oct 09 '20 at 02:23

0 Answers0