SoapUI无法连接HTTPS（SSLPeerUnverifiedException） [英] SoapUI fails to connect HTTPS (SSLPeerUnverifiedException)

问题描述

我需要测试部署在HTTPS端点上部署的预发布环境的Web服务。不幸的是，SoapUI失败了 SSLPeerUnverifiedException：peer not authenticated exception。我使用了4.6.4和非常新的5.0版本。

I need to test web service that is being deployed to pre-release environment that is deployed on HTTPS endpoint. Unfortunatelly SoapUI fails with SSLPeerUnverifiedException: peer not authenticated exception. I used both versions 4.6.4 and very fresh 5.0.

环境：

端点是https，startcom证书，网络使用代理（但相同的问题没有代理与不同的网络）

endpoint is https, startcom certificate, network uses proxy (but same issue without proxy with different network)

我花了很多时间，也许每天谷歌搜索解决方案。特别是这个链接看起来很有希望： https://forum.soapui.org/viewtopic .php？f = 13& t = 20866

I have spent many hours, maybe a day googling for a solution. Especially this link looked promising: https://forum.soapui.org/viewtopic.php?f=13&t=20866

我通过firefox提取了端点证书并让它信任。所以我从soapui JVM安装中修改了 cacerts ：

I extracted endpoint certificate via firefox and let it trust. So I modified cacerts from soapui JVM installation:

..\SoapUI-4.6.4\jre\lib\security>keytool -import -alias HOSTNAME 
-file endpoint.crt -keystore cacerts -storepass changeit

重新启动然后重新测试 - 失败。

Restart and then retested - fail.

然后我采取了不同的方法让SoapUI JVM信任所有StartCom证书。

Then I took different approach and let SoapUI JVM trust all StartCom certificates.

keytool -import -trustcacerts -alias startcom.ca -file ca.crt -keystore cacerts
keytool -import -alias startcom.ca.sub -file sub.class1.server.ca.crt -keystore cacerts

重新启动并再次失败。我现在还能做什么？

Restart and failed again. What else shall I do now?

编辑

2014-05-30 08:39:53,782 ERROR [errorlog] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:446)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:499)
at com.eviware.soapui.impl.wsdl.support.http.SoapUISSLSocketFactory.createLayeredSocket(SoapUISSLSocketFactory.java:268)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.updateSecureConnection(DefaultClientConnectionOperator.java:200)
at org.apache.http.impl.conn.AbstractPoolEntry.layerProtocol(AbstractPoolEntry.java:277)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.layerProtocol(AbstractPooledConnAdapter.java:142)
at org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultRequestDirector.java:758)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:565)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
at com.eviware.soapui.impl.wsdl.support.http.HttpClientSupport$Helper.execute(HttpClientSupport.java:238)
at com.eviware.soapui.impl.wsdl.support.http.HttpClientSupport.execute(HttpClientSupport.java:348)
at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.submitRequest(HttpClientRequestTransport.java:318)
at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.sendRequest(HttpClientRequestTransport.java:232)
at com.eviware.soapui.impl.wsdl.WsdlSubmit.run(WsdlSubmit.java:123)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

SSL调试：

adding as trusted cert:
Subject: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Issuer:  CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Algorithm: RSA; Serial number: 0x1
Valid from Sun Sep 17 21:46:36 CEST 2006 until Wed Sep 17 21:46:36 CEST 2036

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Thread-20, WRITE: TLSv1 Handshake, length = 186
Thread-20, READ: TLSv1 Alert, length = 2
Thread-20, RECV TLSv1 ALERT:  warning, unrecognized_name
SSL - handshake alert: unrecognized_name
Thread-20, handling exception: javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
Thread-20, SEND TLSv1 ALERT:  fatal, description = unexpected_message
Thread-20, WRITE: TLSv1 Alert, length = 2
Thread-20, called closeSocket()
Thread-20, IOException in getSession():  javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
09:16:12,482 ERROR [WsdlSubmit] Exception in request: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

推荐答案

好的，此问题的解决方法是设置

Ok, the fix for this problem is to set

-Djsse.enableSNIExtension=false

in $ SOAPUI_HOME / bin / soapui.bat

原因在此答案中描述： https ：//stackoverflow.com/a/14884941/1639556

The reason is described in this answer: https://stackoverflow.com/a/14884941/1639556

摘要：

Java 7介绍了默认启用的SNI支持。我发现某些配置错误的服务器在SSL握手中发出无法识别的名称警告，大多数客户端都会忽略该警告......除了Java。

Java 7 introduced SNI support which is enabled by default. I have found out that certain misconfigured servers send an "Unrecognized Name" warning in the SSL handshake which is ignored by most clients... except for Java.

更新：对于SoapUI 5.2.1我必须更改文件 SoapUI-5.2.1.vmoptions 因为修改 bat 文件无效。

Update: for SoapUI 5.2.1 I had to alter a file SoapUI-5.2.1.vmoptions because modifying bat file did not help.

这篇关于SoapUI无法连接HTTPS（SSLPeerUnverifiedException）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！