SOAP UI HTTPS Decryption

3,458 views
Skip to first unread message

Sam Coombs

unread,
Jul 10, 2013, 10:44:52 AM7/10/13
to httpf...@googlegroups.com
Hi,
 
I'm trying to decrypt HTTPS communication sent from SOAP UI, but I'm getting the error message "Peer Not Authenticated" whenever the Decrypt option is selected.
 
From event logs (below) and some digging around I'm pretty sure it's something to do with the Certificates generated by Fiddler. I've removed and re-added the certificates 100 times by now and used certmgr.msc to ensure there's none left before I readded them. I did spot two possible answer on other posts. 1. where the new version of fiddler certificates don't work with SOAP UI but have been unable to track down a certificate from a previous version to test with. And 2. the certmaker is missing a -sp call, but I don't really understand what that means...
 
I'd really appreciate it if someone could have a quick check the debug logs below and confirm / deny either of those two options. Or if you can gleam some other information that might help that'd be great.
 
Thanks
 

-= Fiddler Event Log =-

See http://fiddler2.com/r/?FiddlerLog for details.

15:28:19:3881 Fiddler Running...

15:28:26:3091 /Fiddler.CertMaker> Invoking makecert.exe with arguments: -r -ss my -n "CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky signature -eku 1.3.6.1.5.5.7.3.1 -h 1 -cy authority -a sha1 -m 132 -b 07/09/2012

15:28:26:3261 /Fiddler.CertMaker>1-CreateCert(DO_NOT_TRUST_FiddlerRoot) => (0).

15:29:14:8811 !Chunked encoding is permitted only in the Transfer-Encoding header. Content-Encoding: chunked

15:29:27:3591 /Fiddler.CertMaker> Invoking makecert.exe with arguments: -pe -ss my -n "CN=example.example.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha1 -m 132 -b 07/09/2012

15:29:27:5901 /Fiddler.CertMaker>16-CreateCert(example.example) => (0).

15:29:27:6401 !SecureClientPipeDirect failed: A call to SSPI failed, see inner exception. < An unknown error occurred while processing the certificate on pipe to (CN=example.example.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com).

 

 

 

EricLaw

unread,
Jul 10, 2013, 1:51:38 PM7/10/13
to httpf...@googlegroups.com
SOAPUI is based on Java, which doesn't use the Windows Certificate store; it instead trusts its own set of root certificates found inside the file C:\program files (x86)\SmartBear\soapUI-4.5.2\jre\lib\security\cacerts.
 
You can export Fiddler's root certificate using the button on the Tools > Fiddler Options > HTTPS tab.
 
You can update the cacerts file by following these instructions: http://support.smartbear.com/viewarticle/20558/

Sam Coombs

unread,
Jul 12, 2013, 4:34:45 AM7/12/13
to httpf...@googlegroups.com
Hi,
 
That was spot on, and helped crack open a web service that's been bothering me for weeks, really useful!
 
Cheers

EricLaw

unread,
Jul 12, 2013, 11:42:23 AM7/12/13
to httpf...@googlegroups.com
Awesome, glad to hear it! If you don't mind, can you let us know if there were any steps in the process that weren't obvious or not mentioned in the post I cited? I'd love to have a record of what needs to be done for the next person who tries to get Fiddler working with SOAPUI.  thanks!

Jérémie Bertrand

unread,
Jul 11, 2014, 8:31:44 AM7/11/14
to httpf...@googlegroups.com
Hi,

I have been able to get the .cert file from Fiddler but I don't know how to update the cacerts file, the linked article is for CodeCollaborator and use some folders/files that I don't have with SoapUI.
Can you help me please ?

Thanks.

EricLaw

unread,
Jul 11, 2014, 10:05:51 AM7/11/14
to httpf...@googlegroups.com
Unfortunately, no, I don't use SoapUI and don't have any experience with it. That sounds like a great question for a SoapUI forum or StackOverflow.

Robert Hattori

unread,
Jul 31, 2014, 1:07:58 PM7/31/14
to httpf...@googlegroups.com
Adding for future reference...
SoapUI's cacerts file is typically in "c:\Program Files (x86)\SmartBear\SoapUI-5.0.0\jre\lib\security\" (or whatever version and file path it installs at).

This is how I added Fiddler's root certificate.  No insult intended by the overly-simplified steps (and apologies for being too lazy to use environment variables):
1.In Fiddler, export the root certificate (to your desktop):
  a. Tools --> Fiddler Options... --> HTTPS (tab) --> Export Root Certificate to Desktop (button)
2. Open a command prompt (probably need to run as administrator):
  a. c:
  b. cd "c:\Program Files (x86)\SmartBear\SoapUI-5.0.0\jre\lib\security\"
  c. At the > prompt, back up your certs file:
     xcopy cacerts cacerts.bak
  d. At the > prompt, add the certificate:
     ..\..\bin\keytool.exe -import -alias fiddler -file "c:\Users\<username>\Desktop\FiddlerRoot.cer" -keystore cacerts -storepass changeit
     When prompted to trust, answer 'yes'
3. Restart SoapUI
4. Set the proxy in SoapUI (NOTE: remember to turn this off if Fiddler is not running)
   a. File --> Preferences --> Proxy Settings (tab) --> then set the following:
      i. Proxy Setting: Manual (radio button)
      ii. Host: 127.0.0.1
      iii. Port: 8888

Reply all
Reply to author
Forward
0 new messages