I have a Jax-ws web service. I've successsfuly tested it with soap ui. but now I've added mutual authentication security. Client and server just exchange with x.509 certificates. How to configure soap ui to have its certificate and validated server's ones. Without any passwords, signatures and encryption. Just certificates.
Check out these links:
Tryst with Technology 2 (two) way SSL using soapUI as client and
server
soapUI SSL Settings
It looks like client certificate authentication has been broken in SoapUI since version 4.6.4. You can modify the source code like this:
Line 273 of class com.eviware.soapui.impl.wsdl.support.http.SoapUISSLSocketFactory needs to be changed from
SSLSocket sslSocket = ( SSLSocket )getSocketFactory().createSocket( socket, host, port, autoClose );
to
SSLSocket sslSocket = ( SSLSocket )sslContext.getSocketFactory().createSocket( socket, host, port, autoClose );
Posted on http://forum.soapui.org/viewtopic.php?f=13&t=23441
Related
I have a client/server app, and I want my client to use tor proxy which I've downloaded from the tor website, and connect over that proxy with my server that has an onion address.
I have the code that uses the proxy but the problem is that the server is designed to send an authentication string that needs to be changed in a certain way so that only my clients can be accepted to connect to the server.
but when the proxy checks, if the server is up. my server sends the authentication string to the proxy.
The question is how do I know that is the proxy is checking the server instead of the client from the server's end?
at the server's end, I do nothing but listen and accept the client as if you would do using sockets without a proxy.
I am working on a project where both the server and client side send certificates for mutual authentication. For the revocation part server can always use ocsp stapling and the client can verify that, but I couldn't find any way to add an ocsp stapling response for the client. Is that even possible in the OpenSSL library?
I am using GNU libmicrohttpd to establish HTTPS server. My requirement is that the server and the client both authenticate during the TLS handshake however what I observe is that even if the client sends empty certificate the connection is accepted.
in wireshark I see that the server requests certificate and the client sends certificate with len 0. How to make the microhttpd to not accept that case - the certificate must always be verified with the provided CA pem?
if(!(server_handle = MHD_start_daemon(flags, port, NULL, NULL,
&mhttpd_layer::access_handler_callback, callback_data,
// now, continue with the options
MHD_OPTION_NOTIFY_COMPLETED, &mhttpd_layer::request_completed_callback, l_callback_data,
MHD_OPTION_SOCK_ADDR, (sockaddr*) &(it->addr),
MHD_OPTION_CONNECTION_TIMEOUT, it->conn_timeout,
MHD_OPTION_CONNECTION_LIMIT, it->conn_limit,
MHD_OPTION_PER_IP_CONNECTION_LIMIT, it->per_ip_conn_limit,
// HTTPS certificate options
MHD_OPTION_HTTPS_MEM_KEY, it->https_key_buff.data(),
MHD_OPTION_HTTPS_MEM_CERT, it->https_cert_buff.data(),
MHD_OPTION_HTTPS_MEM_TRUST, it->https_turst_ca_buff.data(),
MHD_OPTION_END)))
Maybe I should manually on the access callback retrieve the certificate as described by their tutorial (https://www.gnu.org/software/libmicrohttpd/tutorial.html#Adding-a-layer-of-security) ? In this case why do I provide the CA - this doesn't seem the proper way to me?
I have server.pem and a server.jks for a back-end which is my client (soapui). I initialize ssl server context in order to enable simple authentication for my web service as follow:
int ssl_connection_flag = SOAP_SSL_DEFAULT; // Simple authentication
int soap_result = soap_ssl_server_context(soap_object,
ssl_connection_flag,//SOAP_SSL_NO_AUTHENTICATION,//m_ssl_connection_flag,
m_key_file.c_str(),//Settings::instance()->get_cert_mngr_tls_certificate_path().c_str(),//"D:\\ICA\\Release\\currentStore\\TLSCertificate.pem",//m_ssl_private_key_file_path.c_str(),/* keyfile: required when server must authenticate to clients (see SSL docs on how to obtain this file) */
l_recover.c_str(),//"changeit",//PWDHelper::instance()->retrieve_pwd("k-tls-key").c_str(),//"changeit",//"12345678",//"server_key_password",/* password to read the key file (not used with GNUTLS) */
m_ca_certs_file.c_str(),//Settings::instance()->get_cert_mngr_ca_path().c_str(),//"D:\\ICA\\Release\\currentStore\\CA.pem",//"D:\\CertificatBrahim\\CAs.pem",//m_ssl_ca_file_path.c_str(), /* optional cacert file to store trusted certificates */
NULL, /* optional capath to directory with trusted certificates */
NULL,/* DH file name or DH key len bits (minimum is 512, e.g. "512") to generate DH param, if NULL use RSA */
NULL,
NULL);
The trouble is, when I look for in wireshark after sending my request from SoapUI to a remote PC where is located my server. The decoding looks like there is a mutual authentication going on.
But when I change
SOAP_SSL_DEFAULT
with
SOAP_SSL_NO_AUTHENTICATION
, and sent the same request, in wireshark it looks like there is a simple (only server authentication) going on.
But that confuses me, because if I follow gSoap documentation, the TLS/SSL option SOAP_SSL_NO_AUTHENTICATION, disable both client and server authentication.
Then my question is what am I doing wrong?
thanks in advance for your responses.
Best regards.
The SOAP_SSL_NO_AUTHENTICATION flag on the server side does not prevent the client from requesting the server to authenticate. This flag disables the requirement for a peer to authenticate to the requesting side. In your case the client is the requesting side and the flag is set at the server side.
I have WCF web service that need to be secured using SSL/TLS protocol. In the other hand I have C++ client that consume WCF web service using gSOAP library. Already only server needs to have certificate. Now I have tasked to enforce client to have certificate. My earlier implementation for client is like this:
soap_ssl_init();
int soapResult = soap_ssl_client_context(soapPtr, SOAP_SSL_NO_AUTHENTICATION, "client.pem", NULL,
NULL, "cacert.pem", NULL);
if (soapResult)
{
soap_print_fault(soapPtr, stderr);
throw new ClientLogException("Can not use ssl for comminucations!");
}
else
{
}
struct soap mySoap = *soapPtr;
WSHttpBinding_USCOREILogServicesProxy proxy(mySoap);
input.request = &request;
int callCode = proxy.CallWebService(WEB_SERVICE_ADDRESS, NULL, &input, response);
if (callCode != 0)
{
cout << "Web service call code: " + callCode << endl;
throw new ClientLogException("Error in calling web service with call code: " + callCode);
}
which I does it from gSOAP documents. It works fine with only server required to have certificate. I viewed communication using WireShark and connection was completely encrypted.
Now for enforcing client to use certificate, I am going to use Nine simple steps to enable X.509 certificates on WCF article. But the article uses a C# WCF client. I must implement client configuration in my gSOAP C++ client. I can add client certificate in above code when calling soap_ssl_client_context and in third parameter.
I have 2 problem here:
1- I don't know is it possible calling web service that both client and server have certificates and communication be secured when server uses WCF and client uses gSOAP.
2- In the CodeProject article it seems that web service call is using http and I am wonder there is no encryption in communication.
In the end if anyone has better solution, or recommend other tools will be welcome.
HTTPS works out of the box with gsoap if you compile with -DWITH_OPENSSL and link against the OpenSSL libs. The out-of-the-box default settings will encrypt messages with https://, but this does not enforce authentication because you need to register the server certificates first with soap_ssl_client_context() as you point out.
To authenticate both server and client, the gsoap manual suggests the following:
int soapResult = soap_ssl_client_context(soapPtr,
SOAP_SSL_DEFAULT, // requires server to authenticate
"client.pem", // client cert (+public key) to authenticate to server
"password", // you need this when client.pem is encrypted
NULL, // capath to certs, when used
"cacert.pem", // should contain the server cert
NULL);
Also, you may need to convert PEM to CER (or the other way) for windows.