I has happened many times facing the error message "javax.net.ssl.SSLException: Request followed by an unexpected handshake message” " when I'm trying to import a wadl/wsdl into SoapUI. This sometimes turns to a pain and would take lots of time to figure a way to get over it. Of course, the easiest way is to use http instead of https and port 80/8080 versus 443/8443. But this is not a solution. My way is different than the ones I found.
Part 1 : A good signed certificate.
----------------------------------
NOTICE: If you see the message “No subject alternative names present” after SSL Handshake Exception Error, this won't work (neither all other links provided below), instead you need to do some tricks that I tell you in Part 2 (scroll down). However, you eventually need to do Part 1 steps too.
Part 1 : A good signed certificate.
----------------------------------
NOTICE: If you see the message “No subject alternative names present” after SSL Handshake Exception Error, this won't work (neither all other links provided below), instead you need to do some tricks that I tell you in Part 2 (scroll down). However, you eventually need to do Part 1 steps too.
1 - Save the SSL certifacates as .der format. (I don't know why other formats are showing different results). To create .der certificate files, you can use Firefox: click on the lock icon located at left side of the url, click on "more information" and then follow the rest by checking this picture:
2- Copy your all you certificates in an easy folder ( I have them in c:\certs)
3- Change into the jre/lib/security directory under your SoapUI installation directory (e.g. for me c:\Program Files (x86)\SmartBear\soapUI-4.5.2\jre\lib\security ) then run the following commands (or copy & paste WITH quotations – replace the path and cert parts)
You might need to run these commands as administrator if you get a permission error like this:
keytool error: java.io.FileNotFoundException: cacerts (Access is denied)
"C:\Program Files\SmartBear\soapUI-Pro-4.5.2\jre\bin\keytool.exe" -import -keystore cacerts -alias PSSRTCERT01-CA -file "C:\certs\PSSRTCERT01-CA.der"
4- sometimes you might need to save the certificate twice, one with the regular suggested name and the second with the server URI as the name. Same as step 3, follow with importing the the second (but the same) der file.
"C:\Program Files\SmartBear\soapUI-Pro-4.5.2\jre\bin\keytool.exe" -import -keystore cacerts -alias aaaapi.test.abc.defghi.net -file "C:\certs\aaaapi.test.abc.defghi.net.der"
Each time you will be prompted for a keystore password (probably default “changeit”) and to confirm that you want to import it.
Notes:
Run as administrator if you run into permission issues
Make sure to use the keytool in the jre directory of your SoapUI installation
Make sure to import the certs into the cacerts file of your SoapUI installation
Sometimes you need to reboot you windows, and always you'll need to close and re-run SoapUI.
That should be enough to get rid of the ssl handshake error. Generally this shall fix the issue as it did for me. If you couldn't do it successfully, there are three other ways that you can try (unfortunately SoapUI is not very decent when using SSL connections):
-----------
Part 2: Bad self signed certificates:
----------
Sometimes you have to deal with self signed certificates that are generated improperly. The most common mistake is to put a wrong name in CN part or not adding Subject Alternative url for the host.
To ovecome this problem (if you can't ask the admin to generate a better certificate), you'll need to spoof the url. This is a little tricky, but you'll enjoy it :)
1- check the Certificate CN (look for the details using mmc, firefox, chrome, Internet Options, whatever). CN is a creepy word that SoapUI thinks it is the url. Well, when someone is looking for crap, let give him the crap.
2- Edit your windows HOST file. (you might need admin access). The HOST file is usually located at:
%SystemRoot%\system32\drivers\etc\hosts
Simply open it and add a line like this:
1.2.3.4 creepyWord
Apparently, the ip will be your host ip and creepyWord is what you see in the CN field.
Save the file.
3- Same as Part 1, import the CERT into the JRE targeted by SOAPUI at:
C:\Program Files (x86)\SmartBear\soapUI-Pro-4.5.1\jre\lib\security
again this my soapui folder not yours. change the paths.
Use the keystore –install command:
keytool -import -alias host_name-file "C:\certs\freakingCertificateName.cer" -keystore cacerts
4- Restart SOAPUI, Go into preferences, SSL Tab and point it to the cacert keystore.
5- Ok, another tricky part. don't import wadl/wsdl directly from the url into the soapui. Instead, copy the wadl/wsdl content as a file in to the computer. Then replace the content with the HOST assigned parameter. (for example, if you see'https://1.2.3.4:8443/xxx' change it to https://creepyWord:8443/xxx)
6- Import the local WADL you modified in you SoapUI project. it will work and you will be blessing me.
Part 2: Bad self signed certificates:
----------
Sometimes you have to deal with self signed certificates that are generated improperly. The most common mistake is to put a wrong name in CN part or not adding Subject Alternative url for the host.
To ovecome this problem (if you can't ask the admin to generate a better certificate), you'll need to spoof the url. This is a little tricky, but you'll enjoy it :)
1- check the Certificate CN (look for the details using mmc, firefox, chrome, Internet Options, whatever). CN is a creepy word that SoapUI thinks it is the url. Well, when someone is looking for crap, let give him the crap.
2- Edit your windows HOST file. (you might need admin access). The HOST file is usually located at:
%SystemRoot%\system32\drivers\etc\hosts
Simply open it and add a line like this:
1.2.3.4 creepyWord
Apparently, the ip will be your host ip and creepyWord is what you see in the CN field.
Save the file.
3- Same as Part 1, import the CERT into the JRE targeted by SOAPUI at:
C:\Program Files (x86)\SmartBear\soapUI-Pro-4.5.1\jre\lib\security
again this my soapui folder not yours. change the paths.
Use the keystore –install command:
keytool -import -alias host_name-file "C:\certs\freakingCertificateName.cer" -keystore cacerts
4- Restart SOAPUI, Go into preferences, SSL Tab and point it to the cacert keystore.
5- Ok, another tricky part. don't import wadl/wsdl directly from the url into the soapui. Instead, copy the wadl/wsdl content as a file in to the computer. Then replace the content with the HOST assigned parameter. (for example, if you see'https://1.2.3.4:8443/xxx' change it to https://creepyWord:8443/xxx)
6- Import the local WADL you modified in you SoapUI project. it will work and you will be blessing me.
can you give me an example of creepy word? i have ip address like
ReplyDeleteowner: CN=1.2.3.4