TLS v1.1/1.2 compliant : javax.net.ssl.SSLHandshakeException

[MK]

We are in actively in the process of completely phasing out support for SSLv3 protocol and leaving only support for secure TLSv1.1-1.2. Is rest assured TLS v1.1/1.2 compliant? Getting javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure erros while using:

given().relaxedHTTPSValidation().auth().basic("login", "pwd")).when().get(restUrl).asString();

tried:

Object sslContext = SSLContext.getInstance("TLS");

before making the relaxedHTTPSValidation() call. that did not help either.

Appreciate your help.

Thanks!

[Johan Haleby]

I think it should be TLS v1.1/1.2 compliant. I think you need a pretty new JVM for it to work though, make sure you're using Java 8. Also try given().relaxedHTTPSValidation("TLS") and see if that works.

--
You received this message because you are subscribed to the Google Groups "REST assured" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rest-assured...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[MK]

We are using jdk1.7 is there a reason why we need Java 8?

Thanks,

MK

[Johan Haleby]

I'm not sure if it would make any difference but I know I've run into (if I recall it correctly) similar issues when using Java 6. Upgrading to Java 8 solved the problem. I would suggest that you give it a go if it's not too much of a problem.

[MK]

Johan,

 When I tried  given().relaxedHTTPSValidation("TLS")I see compilation error saying RequestSpecification cannot be applied to java.lang.String.Any pointers? I am using rest-assured v2.3.0

Thanks,

MK

[Johan Haleby]

Please try upgrading to the latest version and see if you have the same problem.

[Apoorva Sharma]

It might be related to the Java version of the HttpClient used by Rest Assured. Essentially, if a lower version protocol is available to the client (TLSv1.0), the connections will be initiated using the lower version first. The protocol would need to be explicitly disabled - or enable only select ones.

I worked around a similar issue by implementing a CustomSocketFactory and then instantiating Rest Assured with that Socket Factory. 

Custom Socket Factory

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.conn.ssl.X509HostnameVerifier;
import org.apache.http.params.HttpParams;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import java.io.IOException;
import java.net.Socket;

public class Sslv3SocketFactory extends SSLSocketFactory {

    private final Log log = LogFactory.getLog(getClass());
    /**
     * Instantaites a new {@link Sslv3SocketFactory}.
     *
     * @param sslContext: The SSLContext.
     * @param hostnameVerifier: The X509HostnameVerifier.
     */
    public Sslv3SocketFactory(SSLContext sslContext, X509HostnameVerifier hostnameVerifier) {
        super(sslContext, hostnameVerifier);
    }

    @Override
    public Socket createSocket(HttpParams params) throws IOException {

        if (true) {
            log.debug("createSocket: " + params);
        }

        SSLSocket socket = (SSLSocket) super.createSocket(params);
        socket.setEnabledProtocols(new String[]{"SSLv3", "TLSv1"});

        return socket;
    }
}

Passing Custom Socket factory to Rest Assured

org.apache.http.conn.ssl.SSLSocketFactory customSslFactory = new Sslv3SocketFactory(ctx,org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
RestAssured.config = RestAssured.config().sslConfig(
SSLConfig.sslConfig().sslSocketFactory(customSslFactory));
RestAssured.config.getHttpClientConfig().reuseHttpClientInstance();

[Johan Haleby]

Thanks for sharing, does that help you Meenakrish?

--

[Bruno Fracalossi]

Hello,

I'm facing exactly this issue. Could you please share more details about the CustomSocketFactory ? I tried to implement on the way you posted, but probably I missed something, because I continue getting the "javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure" error.

Thanks ,

Bruno

[Rajeev Mehta]

Thanks MK RA version used 2.7

given().relaxedHTTPSValidation("TLSv1.1") worked for me.

[Apoorva Sharma]

"handshake_failure" seems to suggest that the protocol used by the client is not accepted by the server. I am not sure what details about CustomSocketFactory might help you. Can you tell me what precisely are you looking for ?

Also, I hope you have changed the below line with the protocols that work for your case, like TLSv1.1 or 1.2 

socket.setEnabledProtocols(new String[]{"SSLv3", "TLSv1"});

[molug...@gmail.com]

I tried this but still receiving same error. I am new to RestAssured and SSL. I am also trying to test in AWS environment. It looks I need to extend SSLConfig Class and inject my custom SSLSocketFactory (as per AWS forum (https://forums.aws.amazon.com/thread.jspa?threadID=212959&tstart=0#669911).

I personally have no clue how to do it and which method I need to over-write in SSLConfig Class. I am wondering if you can create a similar custom class for this ?

Thanks for your help

[Apoorva Sharma]

If you look a little above in the thread at my post/reply : https://groups.google.com/d/msg/rest-assured/-NIbcY8McJU/7FA4ViHPDgAJ, it should give you a fair bit (if not an implementation). I *think* that is what you are looking for. 

[raam]

Thanks for your reply Apoorva.

I did look at your Custom Socket Factory but I still couldn't figure out how to inject my Custom SSLSocketFactory into SSLConfig(http://static.javadoc.io/io.rest-assured/rest-assured/3.0.0/io/restassured/config/SSLConfig.html)  class of RestAssured. few things i am not sure are : 

 1. which methods i need to override in my custom SSLFactory ?

 2. What params i need to create and pass in order to create Custom SSLSocktFactory ? ( this will help me talk to my dev team to find out the required info)

I have to admit I have no prior knowledge of SSL Factories and RestAssured.I just started working on these.

[Rohan Palkar]

Hi,

Thanks for posting this solution.

The SSLSocketFactory has been marked deprecated with Apache Http Client 4.3 I suppose.

The equivalent that I could figure out was SSLConnectionSocketFactory. But I am not clear how to use that in RestAssured since it still accepts the SSLSocketFactory object.

Please suggest.

Regards,

Rohan Palkar

[Suraj Kelkar]

Hi All,

Many of the methods in below code are deprecated not sure how to make it work can some one help ?

-Suraj

On Wednesday, 6 January 2016 19:08:38 UTC+5:30, Apoorva Sharma wrote: