Getting Unsupported ciphersuite in SoapUI 5.2.1 when making HTTPS request

2
votes

I am trying to make an HTTPS request to send Apple Push Notifications (APN) to test my applicationusing SoapUI 5.2.1. I have made the following configuration changes to SoapUI to support a TLS 1.2 connection.

  • I created a jks keystore and added a the private key for the iOS application and all certificates in the chain for api.development.push.apple.com
  • In the SoapUI SSL Settings i have set the KeyStore, KeystorePassword and checked 'requires client authentication'
  • In the vmoptions.txt of SoapUI i added the following Java options

-Dsun.security.ssl.allowUnsafeRenegotiation=true -Dsoapui.https.protocols=TLSv1.2 -Dsoapui.https.ciphers=ECDHE-RSA-AES256-GCM-SHA384

  • The JCE files in the SoapUI jre.bundle have been replaced with the Unlimited Strength Jurisdiction policy files.

If i use curl to send a push notification using verbose (-vvv), the negotiation results in TLS 1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384. So the protocol and cipher should be accepted by the Apple APN server when making a connection with SoapUI.

* Connected to api.development.push.apple.com (17.172.238.203) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ECDHE-RSA-AES256-GCM-SHA384
* successfully set certificate verify locations:
*   CAfile: /usr/local/etc/openssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

When making now making a HTTPS Post request in SoapUI to https://api.development.push.apple.com/3/device/{device id} i still get the error ERROR:java.lang.IllegalArgumentException: Unsupported ciphersuite ECDHE-RSA-AES256-GCM-SHA384

When using the Java 7 JSSE Cipher Suite name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is still get the unsupported cipher suite error.

There is no detailed information in the logs.. any help / ideas / thoughts / hints ?

Update 1

I was using SoapUI 5.2.1 Mac OS X installer with the integrated Java 7. Java does according to the Java 7 documentation not support the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite.

Replaced the SoapUI 5.2.1 Mac OS X installer with SoapUI 5.2.1 Mac OS X zip which does not include Java. I have Java 1.8.0_60 installed which does support the necessary cipher suite. (reference here)

Modified the soapui.sh script to include the necessary Java options

if [ $SOAPUI_HOME != "" ]
then
    JAVA_OPTS="$JAVA_OPTS -Dsoapui.ext.libraries=$SOAPUI_HOME/bin/ext"
    JAVA_OPTS="$JAVA_OPTS -Dsoapui.ext.listeners=$SOAPUI_HOME/bin/listeners"
    JAVA_OPTS="$JAVA_OPTS -Dsoapui.ext.actions=$SOAPUI_HOME/bin/actions"
    JAVA_OPTS="$JAVA_OPTS -Djava.library.path=$SOAPUI_HOME/bin"
    JAVA_OPTS="$JAVA_OPTS -Dwsi.dir=$SOAPUI_HOME/wsi-test-tools"
  JAVA_OPTS="-Dsun.security.ssl.allowUnsafeRenegotiation=true"
  JAVA_OPTS="-Dsoapui.https.protocols=TLSv1.2"
  JAVA_OPTS="-Dsoapui.https.ciphers=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
  JAVA_OPTS="-Djavax.net.debug=ssl,handshake"
#uncomment to disable browser component
#   JAVA_OPTS="$JAVA_OPTS -Dsoapui.browser.disabled=true"
fi

Getting the next error now ERROR:org.apache.http.client.ClientProtocolException. Probably something related to the HTTP/2 protocol which may be not supported by SoapUI.

Update 2

As suggested by @vzamanillo Java 8 uses TLS 1.2 by default, therefore the addition Java options can be removed. CipherSuite issues are now resolved, the error;

ERROR:org.apache.http.client.ClientProtocolExceptionis

Is an error not related to SSL, TLS or Cipher Suites but is probably an issue with SoapUI not supporting HTTP/2.

1
javassl-certificatesoapuitls1.2
If you are using Java 8 you do not need set the Java options in the SOAPUi script, Java 8 uses TLSv1.2 by default, and it choose the appropiated cipher for the connection. Could you please update your question with the HTTP log and ssl debug log? - vzamanillo
Seems like you need to set some HTTP headers, maybe content length or authentication type, post the http wire log, please. - vzamanillo
The server requires an HTTP/2 connection, which can be negotiated through ALPLN. ALPN is supported as of Java 9. Tried to run SoapUI on Java 9 pre release, but does not work. - pcvnes
True, SOAPUi supports HTTP 1.0 and HTTP 1.1 only but you can write your own java client with a library with HTTP 2 support, like OkHttp, Netty or Jetty, a set of examples on unrestful.io/2015/10/10/http2-java-client-examples.html - vzamanillo

1 Answers

3
votes

The TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphersuite is not supported by Java 7 and therefore used Java 8 for SoapUI 5.2.1. Setting the Java option Dsoapui.https.protocols=TLSv1.2 to force TLSc1.2 is also not necessary because this is the default for Java 8.