topic Re: Soap https broken in Active IQ Unified Manager Discussions

Soap https broken

francoisbnc — Wed, 04 Jun 2025 15:14:52 GMT

I experience an issue when I tried to call WFA workflows through https soap call in python.

Basically I receive

requests.exceptions.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure in ssl python module

>>> print (ssl.OPENSSL_VERSION)
OpenSSL 1.0.2k 26 Jan 2017

I think is related to wfa broken https communication, I can see with Chrome in Security Overview when connected though https interface

Obsolete Connection Settings
The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and an obsolete cipher (3DES_EDE_CBC with HMAC-SHA1).

Is there a way to change the cipher and key exchange on WFA server side.

Same issue with WFA 4.0 and WFA 4.1RC1

Any help appreciated

Re: Soap https broken https

anuk — Tue, 04 Apr 2017 11:07:48 GMT

Hi,

SSLv3 is disabled in WFA server from 3.0GA onwards due to security reasons. Hence the connection failure. TLSv1,TLSv1.1,TLSv1.2 are the supported protocols. Could you please try to connect with the supported protocols.

Thanks and Regards

Anu

Re: Soap https broken

francoisbnc — Tue, 04 Apr 2017 14:16:19 GMT

I do my connection via TLS1_2

Broken https is not relayed to SSLv3, but weak tls cipher, find the supported ciphers (all are obsolete)

SCAN RESULTS FOR ITS-WFADEV.SWATCHGROUP.NET:443 - 10.140.16.45
 --------------------------------------------------------------

  * Deflate Compression:
                                         OK - Compression disabled

  * Certificate Basic Information:
      SHA1 Fingerprint:                  3aba9c83639b784b0fefa41bc7efed51d8e01f14
      Common Name:                       GDC01249.swatchgroup.net
      Issuer:                            GDC01249.swatchgroup.net
      Serial Number:                     6556000F
      Not Before:                        Apr 18 14:32:11 2016 GMT
      Not After:                         Apr 18 14:32:11 2019 GMT
      Signature Algorithm:               sha256WithRSAEncryption
      Public Key Algorithm:              rsaEncryption
      Key Size:                          2048
      Exponent:                          65537 (0x10001)

  * Certificate - Trust:
      Hostname Validation:               FAILED - Certificate does NOT match its-wfadev.swatchgroup.net
      Apple CA Store (OS X 10.11.6):     FAILED - Certificate is NOT Trusted: self signed certificate
      AOSP CA Store (7.0.0 r1):          FAILED - Certificate is NOT Trusted: self signed certificate
      Mozilla CA Store (09/2016):        FAILED - Certificate is NOT Trusted: self signed certificate
      Java 7 CA Store (Update 79):       FAILED - Certificate is NOT Trusted: self signed certificate
      Microsoft CA Store (09/2016):      FAILED - Certificate is NOT Trusted: self signed certificate
      Received Chain:                    GDC01249.swatchgroup.net
      Verified Chain:                    ERROR - Could not build verified chain (certificate untrusted?)
      Received Chain Contains Anchor:    ERROR - Could not build verified chain (certificate untrusted?)
      Received Chain Order:              OK - Order is valid
      Verified Chain contains SHA1:      ERROR - Could not build verified chain (certificate untrusted?)

  * Certificate - OCSP Stapling:
                                         NOT SUPPORTED - Server did not send back an OCSP response.

  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.

  * Session Renegotiation:
      Client-initiated Renegotiation:    VULNERABLE - Server honors client-initiated renegotiations
      Secure Renegotiation:              OK - Supported

  * OpenSSL CCS Injection:
                                         OK - Not vulnerable to OpenSSL CCS injection

  * TLSV1_1 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * Resumption Rate:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Tickets:                  NOT SUPPORTED - TLS ticket not assigned.

  * TLSV1_2 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * Downgrade Attacks:
      TLS_FALLBACK_SCSV:                 OK - Supported

  * TLSV1 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.

Re: Soap https broken

francoisbnc — Tue, 04 Apr 2017 14:16:42 GMT

I do soap call via TLS so problem is not relayed to SSLv3, but weak cipher used in wfa server.

SCAN RESULTS FOR ITS-WFADEV.SWATCHGROUP.NET:443 - 10.140.16.45
 --------------------------------------------------------------

  * Deflate Compression:
                                         OK - Compression disabled

  * TLSV1_2 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.

  * Session Renegotiation:
      Client-initiated Renegotiation:    VULNERABLE - Server honors client-initiated renegotiations
      Secure Renegotiation:              OK - Supported

  * OpenSSL CCS Injection:
                                         OK - Not vulnerable to OpenSSL CCS injection

  * Certificate Basic Information:
      SHA1 Fingerprint:                  3aba9c83639b784b0fefa41bc7efed51d8e01f14
      Common Name:                       GDC01249.swatchgroup.net
      Issuer:                            GDC01249.swatchgroup.net
      Serial Number:                     6556000F
      Not Before:                        Apr 18 14:32:11 2016 GMT
      Not After:                         Apr 18 14:32:11 2019 GMT
      Signature Algorithm:               sha256WithRSAEncryption
      Public Key Algorithm:              rsaEncryption
      Key Size:                          2048
      Exponent:                          65537 (0x10001)

  * Certificate - Trust:
      Hostname Validation:               FAILED - Certificate does NOT match its-wfadev.swatchgroup.net
      Microsoft CA Store (09/2016):      FAILED - Certificate is NOT Trusted: self signed certificate
      Apple CA Store (OS X 10.11.6):     FAILED - Certificate is NOT Trusted: self signed certificate
      AOSP CA Store (7.0.0 r1):          FAILED - Certificate is NOT Trusted: self signed certificate
      Java 7 CA Store (Update 79):       FAILED - Certificate is NOT Trusted: self signed certificate
      Mozilla CA Store (09/2016):        FAILED - Certificate is NOT Trusted: self signed certificate
      Received Chain:                    GDC01249.swatchgroup.net
      Verified Chain:                    ERROR - Could not build verified chain (certificate untrusted?)
      Received Chain Contains Anchor:    ERROR - Could not build verified chain (certificate untrusted?)
      Received Chain Order:              OK - Order is valid
      Verified Chain contains SHA1:      ERROR - Could not build verified chain (certificate untrusted?)

  * Certificate - OCSP Stapling:
                                         NOT SUPPORTED - Server did not send back an OCSP response.

  * TLSV1_1 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * TLSV1 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * Resumption Rate:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Tickets:                  NOT SUPPORTED - TLS ticket not assigned.

  * Downgrade Attacks:
      TLS_FALLBACK_SCSV:                 OK - Supported

  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.

Server only accept

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

there are actually obsolete regarding Chrome security tab

Re: Soap https broken https

sinhaa — Tue, 04 Apr 2017 12:45:05 GMT

@francoisbnc

Very interesting. Now we need to look at it and update you, its not a regular issue.

Its is possible to give the code snip of your python code which you have been trying and the error is thrown.

sinhaa

Re: Soap https broken https

francoisbnc — Tue, 04 Apr 2017 12:59:38 GMT

i use zeep python module to handle SOAP requests, unfortunatly I can't run this with python3 in https, because of handshake failure at Client() init class.

here is a part of the code.

from requests import Session
from requests.auth import HTTPBasicAuth
from zeep import Client
from zeep.transports import Transport
import base64

WORKFLOW = 'ITS - SAP Refresh Test'

uname = 'user'
password = 'pass'

urlwsdl = 'https://its-wfadev.swatchgroup.net/wfa-ws/WorkflowService_rpc?wsdl'

session = Session()
session.auth = HTTPBasicAuth(uname, password)

client = Client(wsdl=urlwsdl, transport=Transport(session=session))
workflows = client.service.getAllWorkflows()

Re: Soap https broken https

ag — Tue, 04 Apr 2017 14:00:23 GMT

Can you try adding 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' to enabled-cipher-suites attribute of the https-listeners property in urn:jboss:domain:undertow:1.2 subsystem configuration in the <WFA_install_location>\WFA\jboss\standalone\configuration\standalone-full.xml.

Re: Soap https broken https

ag — Tue, 04 Apr 2017 14:03:11 GMT

Don't forget to restart WFA service after making the changes

Re: Soap https broken https

francoisbnc — Tue, 04 Apr 2017 14:29:27 GMT

You rock, new cipher is now available.

  * TLSV1_2 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             ECDH-570 bits  128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK

code is working well now.

Thanks!