Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

Back in 2014 I've written an article about addressing the SSLHandshakeException in SoapUI. Technology has moved on since then so that approach no longer works and shouldn't be used. If you're getting this exception being thrown when trying to call a web service hosted in WebLogic 12.2 (running on Java 8) use this approach instead.

This is what SoapUI reports, it's the same error as back in 2014 essentially, however the root cause is quite different.
soapui_sslerr1.png


As per Java 8 SDK Cryptography Architecture documentation...
Starting with JDK 8u31, the SSLv3 protocol (Secure Socket Layer) has been deactivated and is not available by default.


The above is due to the POODLE vulnerability. This setting is confirmed by looking at $JAVA_HOME/jre/lib/security/java.security file -
 $JAVA_HOME/jre/lib/security/java.security
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
EC keySize < 224




Great, so SSLv3 is disabled.

Now according to WebLogic 12.2 documentation...
Not setting the weblogic.security.SSL.protocolVersion system property enables the SSLv3Hello, SSLv3, and TLSv1 protocols. In addition, for JSSE, all versions starting with "TLS" are also enabled.


However since the JDK specifically disables SSLv3, the above options are not available. The solution is to use TLSv1.1 or better TLSv1.2 when connecting. This is done by adding the line below to the vmoptions.txt file in SoapUI (/Applications/SoapUI-5.3.0.app/Contents/vmoptions.txt).
 vmoptions.txt
-Dsoapui.https.protocols=TLSv1.2


I've tried and confirmed that the TLSv1 setting also doesn't work (presumably since it is also affected by POODLE). However, TLSv1.1 does work, as does the TLSv1.2.

-i

A quick disclaimer...

Although I put in a great effort into researching all the topics I cover, mistakes can happen. Use of any information from my blog posts should be at own risk and I do not hold any liability towards any information misuse or damages caused by following any of my posts.

All content and opinions expressed on this Blog are my own and do not represent the opinions of my employer (Oracle). Use of any information contained in this blog post/article is subject to this disclaimer.
Hi! You can search my blog here ⤵
NOTE: (2022) This Blog is no longer maintained and I will not be answering any emails or comments.

I am now focusing on Atari Gamer.