SoapUI https handshake_failure

Environment

Windows 7

SoapUI 3.6

Tomcat 7

Symptom

When use SoapUI to call https web service, an exception “javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure” occurs.

Solution 1

Step 1. Add “-Djavax.net.debug=ssl:verbose” to soapui.bat to check the detail log.

Step 2. The console shows:

pool-1-thread-5, WRITE: TLSv1 Handshake, length = 213
pool-1-thread-5, WRITE: SSLv2 client hello message, length = 227
pool-1-thread-5, READ: TLSv1 Alert, length = 2
pool-1-thread-5, RECV TLSv1 ALERT:  fatal, handshake_failure
pool-1-thread-5, called closeSocket()
pool-1-thread-5, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

At first, I tried to add more java options to SoapUI (ex.soapUI-Pro-3.6.vmoptions), such as “-Dsoapui.https.ciphers=…”, “-Dsoapui.https.protocols=…”, “-Dsun.security.ssl.allowUnsafeRenegotiation=true”, but no luck.

Finally, I decided to modify the config of Tomcat. I added “sslEnabledProtocols” to server.xml and re-run SoapUI, it works.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
  maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS"
  sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
  ......
/>

Solution 2 (For SoapUI 3.6)

Step 1. Add JAVA_OPTS to soapui-pro.bat (Optional)

set JAVA_OPTS=%JAVA_OPTS% -Dsoapui.https.protocols="SSLv3,TLSv1.2"

Step 2. Rename folder from “soapUI-Pro-3.6\jre” to “soapUI-Pro-3.6\jre.ignore” (SoapUI will find Java bundle elsewhere, ex. %Path%. My environment is JDK1.8.0_121. The default JRE of SoapUI 3.6 is too old. It does not support TLSv1.2. SoapUI 3.6 內建的Java版本太舊,無法支援TLSv1.2.)

Step 3. Start SoapUI by soapui-pro.bat (You can create a desktop shortcut). Done.

[Update]

SoapUI 4.5.1 works fine even Tomcat has no “sslEnabledProtocols” attribute. I think there are some implementation differences between SoapUI 3.6 and SoapUI 4.5.1?

Well, it’s all about JDK version.

Reference

http://stackoverflow.com/questions/26488667/tomcat-7-getting-sslv2hello-is-disabled-error-when-trying-to-make-client-server

https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https

https://siking.wordpress.com/2016/02/18/another-way-to-fix-sslhandshakeexception-in-soapui/

http://stackoverflow.com/a/6353956/3124333

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s