Enable HTTPS in APISimulator

[asfor94]

I am trying to enable https connection on the APISimulator but with no luck, I had create new keystore and configure it in the tls section on the apisim.yaml file for under simulator: http but when I call the Simulation of the API I had developed using Postman API caller I'm getting error as below: "Error: write EPROTO 3578294616:error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:../../third_party/boringssl/src/ssl/tls_record.cc:592:SSL alert number 40 3578294616:error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO:../../third_party/boringssl/src/ssl/handshake.cc:596"

can you help?

[apisim]

Hi @asfor94

Does this error appear in Postman? You may have come across this Postman Issue, which is still open. It looks like people have been getting TLS/SSL-related errors with various servers very simiar to the error you are getting.

To help us look into the issue on the API Simulator side, could you share some info and try a few things:?

• What's the API Simulator version and Java version? These would be also in the log file - see below.

• What's the version of Postman and on what OS?

• Is it possible to share with us the API Simulator's log? You can find the apisimulator.log and apisimulator.out files in the simulation directory (where apisim.yaml is) or in a subdirectory of it called logs, if it exists.

• If the simulation has a simlet that matches GET requests, could you try to access its URL with a browser using https? Does it succeed? If not, let us know what's the error, browser and browser version, and if the simulator was running on localhost; it will be very helpful if you can share API Simulator's log. Notice that the browser will probably give you a warning if the cert is self-signed; just accept the warning to continue.

Feel free to reach out to us at help@apisimulator.io instead of posting the info here. Remove/redact any sensitive data from the logs.

[apisim]

Hi @asfor94

While looking into this, we came across the announcement that Postman will deprecate TLS 1.0 and TLS 1.1 starting March 2020, and this post on how to enable TLS v1.2.

Could you try to enable TLS v1.2 per that post using a "newer" version of Postman? Let us know how it goes.

[asfor94]

Hello @apisim The I had figure the issue it was related to the KeyStore file it was generated with some errors once it was generated properly it had worked properly. But I had some other issue when I had try to locate the jks file it should be located under the simlet folder and the configuration should be like this in the apisim.yaml file _keyStore: keyStoreFile: "${sim.path}/newkeystore.jks"

but if I want to change the location and locate the jks file in different path like below: _keyStore: keyStoreFile: '"C:\apisimulator\apisimulator-http-1.9\certificate\simkeystore.jks"' below error is appear apisimulator-out.log

[apisim]

Glad to hear, @asfor94, that you've figured out the original problem!

When it comes to the parsing issue, it is because of how \ is interpreted inside double-quoted strings - it is used to start an escape sequence in YAML. As of now, the API Simulator DSL is based on a small subset of YAML - key/value pairs, maps, and lists (sequences) - plus a custom extension to make it easier to work with multi-line strings without requiring indentation.

The example in the post above uses double-quoted string surrounded by additional single quotes. Perhaps that was in an attempt to fix the issues?

I would suggest to use either single quotes:

keyStoreFile: 'C:\apisimulator\apisimulator-http-1.9\certificate\sim_keystore.jks'

...or convert \ to / and then either single or double quotes should work just fine:

keyStoreFile: "C:/apisimulator/apisimulator-http-1.9/certificate/sim_keystore.jks"

Thank you for reporting the parsing problem! We will update the docs accordingly.

Happy API Simulating!

[asfor94]

Dear @apisim , Appreciate you response 👍 I will check your solution and try again and will feed you back Thanks.

I had faced another issue when it comes to HTTPS connection as below: 1- I had created new KeyStore and pass it in the config file as it mentioned. 2- I had right the URL "https://127.0.0.1:6090" in the browser it it had give me to trust the site and I had accept the risk and so on. 3- The browser show that the certificate is not trusted as it is self sign certificate :P 4- I had a client that call the APISimulator using https connection and in my client it should use the pem file for the connection and I had extarct the pem file from the KeyStore and I had make my client use it but when I had start the client it give me handshake_failure error.

so is this error related to how I had created the keystore and the pem file or is there any configuration should be done in the APISimulator?

[apisim]

Hi @asfor94

We would need a bit more details to try to troubleshoot this "...handshake_failure error". The full output on the client side, and if any on the server side, may help.

What happened when the browser was used to access https://127.0.0.1:6090 and after "accepting the risk"? Could you open Developers Tools, go the Network tab, access https://127.0.0.1:6090, and "accept the risk": what is the response from API Simulator shown under the Network tab? E.g. status 404, something else?

A few things to check:

• If the keyStore is protected by a password then configure that password in the tls.keyStore.keyStorePassword field.
• If the key in the keyStore is protected by a password, make sure to configure the key password in the tls.keyStore.keyPassword field.

if I understand correctly, there's a certificate in PEM format that is in the KeyStore and that cert was extracted from the KeyStore; the client was then configured to use that cert.

• What kind of client is that? E.g. Postman, curl, a program in Java or other language?
• Is there are way, as a test, to tell the client to trust all certs? For example, with curl that could be accomplished by passing in the short -k or the longer --insecure option. Is such test successful? Actually, I hope you can run the following curl command:

  curl -vk https://127.0.0.1:6090

  ...and provide the output (in an email will work, too).

• What cert is the one in PEM format and extracted from the KeyStore - the self-signed cert that the server (API Simulator here) presents to clients?
• About the self-signed cert that was added to the KeyStore along with the private key: when that cert was created, was it signed by a (local) certificate authority (CA)?

What I am trying to get to is to determine if the cert the client was configured to use is the cert of the certificate authority that signed the cert for API Simulator server (aka CA cert). Makes sense?

[asfor94]

Hi @apisim regarding your comments above find below:

What happened when the browser was used to access https://127.0.0.1:6090 and after "accepting the risk"? Could you open Developers Tools, go the Network tab, access https://127.0.0.1:6090, and "accept the risk": what is the response from API Simulator shown under the Network tab? E.g. status 404, something else?

The answer is: nothing happened the response was 404

A few things to check:

If the keyStore is protected by a password then configure that password in the tls.keyStore.keyStorePassword field.
If the key in the keyStore is protected by a password, make sure to configure the key password in the tls.keyStore.keyPassword field.

The answer is: yes it configured well

if I understand correctly, there's a certificate in PEM format that is in the KeyStore and that cert was extracted from the KeyStore; the client was then configured to use that cert.

The answer is: yes it should be used by the client to start the HTTPS connection

What kind of client is that? E.g. Postman, curl, a program in Java or other language?

The answer is: _Am using Java application that call the APISimulator using HTTPS connection and send a POST request to grap some data

the output of the curl command

The answer is: find attached file curl output.txt

What cert is the one in PEM format and extracted from the KeyStore - the self-signed cert that the server (API Simulator here) presents to clients?

The answer is: I had just open the keystore by using one of the tools and export the PEM file and place it in my code to read it when it start the connection between the client and the server

About the self-signed cert that was added to the KeyStore along with the private key: when that cert was created, was it signed by a (local) certificate authority (CA)?

The answer is: I didn't add self-sign cert to the key store I had just create a new keystore using the KeyStore Explorer Tool and it was not signed by CA

We would need a bit more details to try to troubleshoot this "...handshake_failure error". The full output on the client side, and if any on the server side, may help.

The answer is: _There was nothing in the APISimulator logs and the only log in my code was the "...handshakefailure error"

[apisim]

Hi @asfor94 ,

Thank you for sharing the output from running curl - it helps! It tells us that curl successfully established a TLS connection with API Simulator:

...
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with 127.0.0.1 port 6090 (step 3/3)

The response from API Simulator to curl is a 404 (Not Found) and the default "API Simulator couldn't find a matching simlet for the request" body because there isn't a simlet in the simulation that matched the request. Because of that, the test with the browser also returned 404 after successfully connecting over TLS.

The log doesn't contain the usual output from the -v (verbose) option about the server cert - perhaps the output was redacted? So, we'll assume below that the cert API Simulator presented was the one from the custom Java KeyStore configured in apisim.yaml for the simulation.

You mention that the client is a Java application. I don't know what HTTP client the application uses... The following usually works to have a Java applicaiton trust the self-signed cert API Simulator presents from the Java KeyStore:

• Take the custom JKS file API Simulator is configured with and place it in a location where the Java client can access it.
• Pass to the Java client javax.net.ssl.trustStore argument pointing to the JKS file. For example:

  java -Djavax.net.ssl.trustStore="<path-to-the-jks-file>" ...<potentially-other-arguments>... <client-app-name-here>

If API Simulator is running on the same host as the client, I'll suggest you use https://localhost:6090 and not https://127.0.0.1:6090, and to add localhost as a SAN (Subject Alternative Name) in the self-signed cert.

Just in case - here's a document on JSSE, including configuring KeyStores and TrustStores.

[apisim]

Hi @asfor94,

I hope the last post helped in configuring the Java client to trust the self-signed cert.