Hi Everyone. I have an issue using Wiremock 2.35 on java 11. SSL in my application is FIPS compatible and configured in a specific way, and it fails like this:

java.lang.NullPointerException: No password supplied for PKCS#12 KeyStore.

	at org.bouncycastle.jcajce.provider.ProvPKCS12$PKCS12KeyStoreSpi.engineLoad(Unknown Source)
	at java.base/java.security.KeyStore.load(KeyStore.java:1479)
	at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(TrustStoreManager.java:365)
	at java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(TrustStoreManager.java:313)
	at java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(TrustStoreManager.java:55)
	at java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:49)
	at java.base/javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:278)
	at com.github.tomakehurst.wiremock.http.ssl.SSLContextBuilder.loadTrustManagers(SSLContextBuilder.java:92)
	at com.github.tomakehurst.wiremock.http.ssl.SSLContextBuilder.loadDefaultTrustManagers(SSLContextBuilder.java:99)
	at com.github.tomakehurst.wiremock.http.ssl.SSLContextBuilder.loadTrustMaterial(SSLContextBuilder.java:82)
	at com.github.tomakehurst.wiremock.http.HttpClientFactory.buildAllowAnythingSSLContext(HttpClientFactory.java:222)
	at com.github.tomakehurst.wiremock.http.HttpClientFactory.buildSslContext(HttpClientFactory.java:154)
	at com.github.tomakehurst.wiremock.http.HttpClientFactory.createClient(HttpClientFactory.java:111)
	at com.github.tomakehurst.wiremock.http.ProxyResponseRenderer.<init>(ProxyResponseRenderer.java:82)
	at com.github.tomakehurst.wiremock.core.WireMockApp.buildStubRequestHandler(WireMockApp.java:181)
	at com.github.tomakehurst.wiremock.WireMockServer.<init>(WireMockServer.java:72)
	at com.github.tomakehurst.wiremock.junit5.WireMockExtension.startServerIfRequired(WireMockExtension.java:144)
	at com.github.tomakehurst.wiremock.junit5.WireMockExtension.beforeAll(WireMockExtension.java:206)
	at org.junit.jupiter.engine.descriptor.ClassBasedTestDescriptor.lambda$invokeBeforeAllCallbacks$12(ClassBasedTestDescriptor.java:395)
	at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
	at org.junit.jupiter.engine.descriptor.ClassBasedTestDescriptor.invokeBeforeAllCallbacks(ClassBasedTestDescriptor.java:395)
	at org.junit.jupiter.engine.descriptor.ClassBasedTestDescriptor.before(ClassBasedTestDescriptor.java:211)
	at org.junit.jupiter.engine.descriptor.ClassBasedTestDescriptor.before(ClassBasedTestDescriptor.java:84)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$6(NodeTestTask.java:148)
	at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:141)
	at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:137)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$9(NodeTestTask.java:139)
	at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:138)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:95)

I use wire mock in a basic (plain connection/no proxy) scenario, but because of application-wide SSL configuration, it fails: • Wiremock doesn’t pick up keystore or trust store types from the options - it uses default types. So it picks up the default pkcs12 store type, which is not fips compatible and fails. • And I cannot work it around by reconfiguring the SSL layer just to let Wiremock run. I tried different options but it seems the only way forward is to configure wiremock server in SSL mode - generate self-signed certs, etc. It feels redundant. Do you know if I can bypass the SSL setup completely? I use

httpsEnabled=false

and don’t need it in my scenarios. Thank you

Hi @Alexander Ashitkin it’s a known issue that WireMock doesn’t support SSL when on FIPS systems: https://github.com/wiremock/wiremock/issues/1962

Hi Tom, thanks for the prompt reply. Is bypassing the SSL to support plain connections on fips runtimes feasible?

I think, unfortunately, some of the SSL code loads regardless of whether you actually use it at the moment, so we’d need to make a small change to WireMock that allows it to continue to boot when this error occurs.