I am trying to hit the third party webservice using SOAP UI and getting below exception:
ERROR:Exception in request: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
I dont have cacert or keystore from the third party webservice but I have signature.By using signature I'm able to hit the third party webservice through my application.
How to configure this signature in SOAP UI?
Adding below parameter to C:\Program Files\SmartBear\SoapUI-5.2.1\bin\SoapUI-5.2.1.vmoptions worked for me.
-Dsoapui.https.protocols=TLSv1.2,SSLv3
Check this link
Quick fix: Upgrade to SoapUI version 5.4.0. This will fix the SSL handshake issue.
After i put below line in file SoapUI-5.2.1.vmoptions. It worked fine for me.
File Path : SoapUI-5.2.1\bin\SoapUI-5.2.1.vmoptions
Add below Line:
-Dsoapui.https.protocols=TLSv1.2,SSLv3
I had 5.5 SOAP UI and calling an gateway API hosted in https URL.
I tried all the java versions , TLS protocol nothing worked for me.
I downloaded the certificate (for me it was truststore.jks) which I was using to connect to API , use certificate password ( used to see all the certificates in your ) and check the Check box as shown in image. I am able to make a https connection.
This is an old thread but my solution might help someone.
In SoapUI version 5.3.0 I solved this problem by removing line:
if exist "%SOAPUI_HOME%..\jre\bin" goto SET_BUNDLED_JAVA
from the soapui.bat and then using soapui.bat for program execution. It seems that Java embedded with SoapUI is a different version than mine which is JRE 1.8.0_131.
For me, only ssl changes did not work.
Check your
java version
it may differ from SOAP-UI jre
at his case got to smartbear\SoapUI-5.2.1\bin directory open soapui.bat
update with compatible java version like:
REM set JAVA=%SOAPUI_HOME%..\jre\bin\java
set JAVA=D:\Program Files\java\jdk1.8.0_162\bin\java
close the first line with rem and update java dir.
run soapui.bat
The problem it's the compatibility between your Java installed on your computer and the Java who is used by soap (for me it's SOAPUI-5.5.0)
SOAP UI was not supporting very well the last version installed of Java.
Modify the file soapui.bat in (usualy installed here)
C:\Program Files (x86)\SmartBear\SoapUI-5.4.0\bin\soapui.bat
You can see there two lines :
if exist "%SOAPUI_HOME%..\jre\bin" goto SET_BUNDLED_JAVA
if exist "%JAVA_HOME%" goto SET_SYSTEM_JAVA
First line SoapUi is setting the jre directory to the one in is own folder
Second line SoapUi is saying than if you have java installed, use this one instead.
So you just have to comment the second line like that :
if exist "%SOAPUI_HOME%..\jre\bin" goto SET_BUNDLED_JAVA
rem if exist "%JAVA_HOME%" goto SET_SYSTEM_JAVA
And for me it's works where whith all other kind of action (permitting TLS1.1 etc) dont.
Related
I am trying to understand/reproduce Log4shell vulnerability, using this poc and also information from Marshalsec.
To do that, I've downloaded Ghidra v10.0.4, which is said (on Ghidra download page) to be vulnerable to log4shell. Installed it on an ubuntu VM, along with java 1.8 (as stated in POC), and loaded the Poc + marshalsec snapshot.
Tried to start Ghidra, it said java 11 was needed, so although I've installed java 1.8 I still downloaded java 11 and, when you start ghidra, it says the installed version is not good enough and ask for the path to a java11 version; so I just gave him path to the jdk11 directory and it seems happy with it. Ghidra starts alright.
Then set up my listener and launched the poc, got the payload string to copy/paste in ghidra, and got a response in the ldap listener saying it'll send it to HTTP. But nothing more. The end.
Since the HTTP server is set up by the same POC, I thought maybe I just couldn't see the redirection, so I started the http server myself, started the ldap server myself with marshalsec, and retried (see pics below for exact commands/outputs).
Setting http server:
Set listener:
Setting LDAP server:
Send payload string in Ghidra (in the help/search part, as shown in kozmer POC); immediately got an answer:
I still receive a response on the LDAP listener (two, in fact, which seems weird), but nothing on the HTTP. The the Exploit class is never loaded in ghidra (it directly sends me a pop-up saying search not found, I think it is supposed to wait for the server answer to do that?), and I get nothing back in my listener.
Note that I don't really understand this Marshalsec/LDAP thing so I'm not sure what's happening here. If anyone have time to explain it will be nice. I've read lot of stuff about the vuln but it rarely goes deeply into details (most is like: the payload string send a request to LDAP server, which redirect to HTTP server, which will upload the Exploit class on the vulnerable app and gives you a shell).
Note: I've checked, the http server is up and accessible, the Exploit.class file is here and can be downloaded.
Solved it.
Turned out for log4shell to work you need a vulnerable app and a vulnerable version of Java; which I thought I had, but nope. I had Java 11.0.15, and needed Java 11 (Ghidra need Java 11 minimum, only vulnerable version of Java 11 is the first one).
Downloaded and installed Java 11, POC working perfectly.
I'm kinda at a loss here.
Trying to set up proton with SSL / TLS access, but after creating the certificates with the (modified) shell scripts
supplied by the AppDev-Pack and linking the keyring and everything in notes.ini, I always seem to get
the error "Handshake failed with fatal error SSL_ERROR_SSL: error: 100000f7:SSL routines:OPENSSL_internal:
WRONG_VERSION_NUMBER".
Tried both a windows and linux server, as well as using the accessing node.js app with and without
certificates - but with no success.
Also tried the troubleshoot section of https://doc.cwpcollaboration.com/appdevpack/docs/en/proton-admin.html and it connected just fine,
but won't if i connect with node.js.
Looks like the error is thrown before a certificate is even checked?
In this example the error is thrown after trying to get a document by UNID.
notes.ini (proton parts)
gRPC Client Error
If someone has an idea how to fix that issue or where to start - that would really help me.
Thanks in advance.
It appears that the client side does not have the secure flag set. At least I get a similar stack when I try to connect without TLS when the server expects TLS.
See the secure attribute when calling useServer() function, and you'll also need to provide the credentials attributes.
I am using BCPPB6 to maintain some legacy projects. One of these needs to GET data from a https URL. I found that the TNMHTTP comnponent that I have used for standard http GET operations in the past does not support https. However the Indy TIdHTTP component apparantly does.
With some trial and error I have found that it needs an Intercept component (TIdConnectionInterceptOpenSSL) and needs InterceptEnabled set to true. I then found that I need to have an OpenSSL library available. Thus I downloaded the latest version from http://indy.fulgan.com/SSL/, extracted the two dll files and placed these into my application folder. However I continue to get the error "Could not load SSL library.". I have also tried it with archived versions of the OpenSSL from 2001 (around the date of
my CPPB) and experimented with having the dlls in the System32 folder, all with the same error.
Is there anyone that can tell me what I am still doing wrong?
I am not sure... but i was having a similar problem (on :=IdHTTP.Get('https://...');) till i used the DLLs:
http://indy.fulgan.com/SSL/Archive/indy_OpenSSL096m.zip
Hope it helps you.
I am using Charles 3.7 to debug SSL connections. I was able to view most of the HTTPS connections, however there is 1 or 2 sites that returned "SSLProtocol: handshake alert: unrecognized_name" when I try to debug it, and I was unable to load the website with Charles on. I am able to do so using Fiddler. Any ideas on how to resolve this issue? Thanks.
I came across this when using the latest beta Charles 3.10b9 on 10.10. We fixed by using a similar method to Shade's answer:
I opened info.plist in Xcode and did the following:
Under the JVMOptions (as oppose to VMOptions) key add the string:
-Djsse.enableSNIExtension=false
Looks like this has more to do with a security improvement from Java 1.7 and server configuration than it does Charles. Can you confirm which JRM Charles is using? help -> about java
Here's an article about the same error message but after upgrading to Java 1.7:
http://www.pressingquestion.com/2030237/Ssl-Handshake-Alert-Unrecognized_name-Error-Since-Upgrade-To-Java-170
Do you need to use Charles for those sites throwing the error? You can disable SSL Proxying per site if not.
Add
-Djsse.enableSNIExtension=false to the info.plist in the Contents folder for the Charles application.
In:
<key>VMOptions</key>
<string>-Xmx512m -Djsse.enableSNIExtension=false</string>
Try using command line from project's path:
mvn clean install -Djsse.enableSNIExtension=false
I am having this error when I try to download LINQPad sample libraries: Error while unpacking sample queries: C:\Documents and Settings[user]\Local Settings\Temp\LINQPad\TempSampleQueries849247.zip is not a valid zip file.
I use LinqPad 4 (installed version). The weird thing is I also have LINQPad 4 (licensed standalone executable) at home and I didn't encounter any problems in downloading. Do I need to have license to be able to download the sample files?
Edit:
I am also having problems in activating my LINQPad. The error says: Unable to contact licensing server: The remote server returned an error: (407) Proxy Authentication Required. I pretty much sure I'm not using any proxies. Please help! Thanks.
Are you certain you're not going through a proxy? I don't see any other way you could be getting a 407 error. Entering the proxy username/password into LINQPad's proxy dialog (Edit | Preferences | Updates) should fix it.
If you're still unable to proceed, you can perform an offline activation here and download the sample libraries via a web browser here. After downloading a samples zip file, click 'Download more samples' and type in the local file path to import it.
Simple solution to prevent the proxy 407 authentication needed error when licensing or updating Linqpad: Add the following to Linqpad's config file
<system.net>
<defaultProxy useDefaultCredentials="true" />
</system.net>