SoapUI fails to connect HTTPS (SSLPeerUnverifiedException)

Question

I need to test web service that is being deployed to pre-release environment that is deployed on HTTPS endpoint. Unfortunatelly SoapUI fails with SSLPeerUnverifiedException: peer not authenticated exception. I used both versions 4.6.4 and very fresh 5.0.

Env:

endpoint is https, startcom certificate, network uses proxy (but same issue without proxy with different network)

I have spent many hours, maybe a day googling for a solution. Especially this link looked promising: https://forum.soapui.org/viewtopic.php?f=13&t=20866

I extracted endpoint certificate via firefox and let it trust. So I modified cacerts from soapui JVM installation:

..\SoapUI-4.6.4\jre\lib\security>keytool -import -alias HOSTNAME 
-file endpoint.crt -keystore cacerts -storepass changeit

Restart and then retested - fail.

Then I took different approach and let SoapUI JVM trust all StartCom certificates.

keytool -import -trustcacerts -alias startcom.ca -file ca.crt -keystore cacerts
keytool -import -alias startcom.ca.sub -file sub.class1.server.ca.crt -keystore cacerts

Restart and failed again. What else shall I do now?

EDIT

2014-05-30 08:39:53,782 ERROR [errorlog] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:446)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:499)
at com.eviware.soapui.impl.wsdl.support.http.SoapUISSLSocketFactory.createLayeredSocket(SoapUISSLSocketFactory.java:268)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.updateSecureConnection(DefaultClientConnectionOperator.java:200)
at org.apache.http.impl.conn.AbstractPoolEntry.layerProtocol(AbstractPoolEntry.java:277)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.layerProtocol(AbstractPooledConnAdapter.java:142)
at org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultRequestDirector.java:758)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:565)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
at com.eviware.soapui.impl.wsdl.support.http.HttpClientSupport$Helper.execute(HttpClientSupport.java:238)
at com.eviware.soapui.impl.wsdl.support.http.HttpClientSupport.execute(HttpClientSupport.java:348)
at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.submitRequest(HttpClientRequestTransport.java:318)
at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.sendRequest(HttpClientRequestTransport.java:232)
at com.eviware.soapui.impl.wsdl.WsdlSubmit.run(WsdlSubmit.java:123)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

SSL debug:

adding as trusted cert:
Subject: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Issuer:  CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Algorithm: RSA; Serial number: 0x1
Valid from Sun Sep 17 21:46:36 CEST 2006 until Wed Sep 17 21:46:36 CEST 2036

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Thread-20, WRITE: TLSv1 Handshake, length = 186
Thread-20, READ: TLSv1 Alert, length = 2
Thread-20, RECV TLSv1 ALERT:  warning, unrecognized_name
SSL - handshake alert: unrecognized_name
Thread-20, handling exception: javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
Thread-20, SEND TLSv1 ALERT:  fatal, description = unexpected_message
Thread-20, WRITE: TLSv1 Alert, length = 2
Thread-20, called closeSocket()
Thread-20, IOException in getSession():  javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
09:16:12,482 ERROR [WsdlSubmit] Exception in request: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Answer 1

Ok, the fix for this problem is to set

-Djsse.enableSNIExtension=false

in $SOAPUI_HOME/bin/soapui.bat

The reason is described in this answer: https://stackoverflow.com/a/14884941/1639556

Digest:

Java 7 introduced SNI support which is enabled by default. I have found out that certain misconfigured servers send an "Unrecognized Name" warning in the SSL handshake which is ignored by most clients... except for Java.

Update: for SoapUI 5.2.1 I had to alter a file SoapUI-5.2.1.vmoptions because modifying bat file did not help.

Answer 2

For anybody using a Mac looking for the same answer (sorry, it won't let me comment on the selected answer as I don't have enough reputation points yet to Comment !!!). Editing soapui.sh won't have any impact if you are launching the App by clicking the icon in your Applications folder or using Spotlight.

/Applications/SoapUI-5.0.0.app/Contents

Edit vmoptions.txt and add -Dcom.sun.net.ssl.checkRevocation=false to the bottom of the file.. Save and re-launch.

Answer 3

I think that you're doing the things good. If you load the server certificate on your truststore the connection must works, maybe something is happening like for example a redirect. If you want you can try to disable the SSL server certificate validation. If you use a SOAPUI standalone version edit the $SOAPUI_HOME/bin/soapui.bat or $SOAPUI_HOME/bin/soapui.sh and add this parameter -Dcom.sun.net.ssl.checkRevocation=false as java option:

soapui.bat

set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.net.ssl.checkRevocation=false

soapui.sh

JAVA_OPTS="$JAVA_OPTS -Dcom.sun.net.ssl.checkRevocation=false"

Hope this helps,