Zap Docker stuck on certificate creation

[Javi D R]

Hi

I have downloaded the docker image for zap (docker pull owasp/zap2docker-stable) and started it in headless mode (docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080)

When it starts, it gets stuck in the cert generation

[ZAP-daemon] INFO org.zaproxy.zap.extension.dynssl.ExtensionDynSSL  - Creating new root CA certificate

Until it ends with code 130 - Exited (130)

Any idea  what could be the problem?

Thanks

[kingthorin+owaspzap]

How long until it exits?
Is it actually hung or can you access the API/Proxy?

[Javi D R]

It takes 5 mins or so. Its hung, i cant access to the api as it is not started

El El mar, 22 ago 2017 a las 20:35, kingthorin+owaspzap <kingt...@gmail.com> escribió:

How long until it exits?
Is it actually hung or can you access the API/Proxy?

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/TYkyrkymxHc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/23b2306d-5d05-45a4-8881-14315ad1474f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[thc...@gmail.com]

Hi.

It's not the first time that we have reports of that, although we were
not able to reproduce or identify the cause of that yet.

You could obtain some thread dumps when the hang happens to know
what/where is hanging.

Start ZAP as usual, then create a shell in the container:
docker exec -it <container-id> bash

(replace <container-id> with the ID of the container running ZAP)

In the shell run:
kill -3 1

(The process ID of ZAP should be 1.)

that will create/output a thread dump in the same console/terminal where
ZAP was started.

It would be great if you could provide the output.

Thanks!
Best regards.

>> <https://groups.google.com/d/msgid/zaproxy-users/23b2306d-5d05-45a4-8881-14315ad1474f%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .

[guth....@gmail.com]

Could this be a VM entropy problem? Maybe you are running docker on something that has bad entropy generation? At least VirtualBox used to have issues on creating keys when no input devices were available.

[Javi D R]

Hi

See below

Thanks

Full thread dump OpenJDK 64-Bit Server VM (25.121-b13 mixed mode):

"ZAP-CallbackServer" #18 daemon prio=6 os_prio=0 tid=0x00007f8a9c245000 nid=0x48 runnable [0x00007f8aad2f5000]

   java.lang.Thread.State: RUNNABLE

        at java.net.PlainSocketImpl.socketAccept(Native Method)

        at java.net.AbstractPlainSocketImpl.accept(AbstractPlainSocketImpl.java:409)

        at java.net.ServerSocket.implAccept(ServerSocket.java:545)

        at java.net.ServerSocket.accept(ServerSocket.java:513)

        at org.parosproxy.paros.core.proxy.ProxyServer.run(Unknown Source)

        at java.lang.Thread.run(Thread.java:745)

"ZAP-PassiveScanner" #17 daemon prio=5 os_prio=0 tid=0x00007f8a9c735800 nid=0x47 waiting on condition [0x00007f8aad5f6000]

   java.lang.Thread.State: TIMED_WAITING (sleeping)

        at java.lang.Thread.sleep(Native Method)

        at org.zaproxy.zap.extension.pscan.PassiveScanThread.run(Unknown Source)

"Timer-0" #15 daemon prio=5 os_prio=0 tid=0x00007f8a9c6d8000 nid=0x46 in Object.wait() [0x00007f8aad9bc000]

   java.lang.Thread.State: TIMED_WAITING (on object monitor)

        at java.lang.Object.wait(Native Method)

        - waiting on <0x00000000df1f6bf8> (a java.util.TaskQueue)

        at java.util.TimerThread.mainLoop(Timer.java:552)

        - locked <0x00000000df1f6bf8> (a java.util.TaskQueue)

        at java.util.TimerThread.run(Timer.java:505)

"ZAP-DownloadManager" #13 daemon prio=5 os_prio=0 tid=0x00007f8a9c0ad000 nid=0x45 waiting on condition [0x00007f8aae605000]

   java.lang.Thread.State: TIMED_WAITING (sleeping)

        at java.lang.Thread.sleep(Native Method)

        at org.zaproxy.zap.extension.autoupdate.DownloadManager.run(Unknown Source)

"DestroyJavaVM" #11 prio=5 os_prio=0 tid=0x00007f8af4009800 nid=0x34 waiting on condition [0x0000000000000000]

   java.lang.Thread.State: RUNNABLE

"ZAP-daemon" #10 prio=5 os_prio=0 tid=0x00007f8af4876000 nid=0x43 runnable [0x00007f8aaeedf000]

   java.lang.Thread.State: RUNNABLE

        at java.io.FileInputStream.readBytes(Native Method)

        at java.io.FileInputStream.read(FileInputStream.java:255)

        at sun.security.provider.SeedGenerator$URLSeedGenerator.getSeedBytes(SeedGenerator.java:539)

        at sun.security.provider.SeedGenerator.generateSeed(SeedGenerator.java:144)

        at sun.security.provider.SecureRandom$SeederHolder.<clinit>(SecureRandom.java:203)

        at sun.security.provider.SecureRandom.engineNextBytes(SecureRandom.java:221)

        - locked <0x00000000dafb86b8> (a sun.security.provider.SecureRandom)

        at java.security.SecureRandom.nextBytes(SecureRandom.java:468)

        at java.math.BigInteger.randomBits(BigInteger.java:634)

        at java.math.BigInteger.<init>(BigInteger.java:623)

        at java.math.BigInteger.largePrime(BigInteger.java:755)

        at java.math.BigInteger.probablePrime(BigInteger.java:699)

        at sun.security.rsa.RSAKeyPairGenerator.generateKeyPair(RSAKeyPairGenerator.java:129)

        at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:703)

        at java.security.KeyPairGenerator.genKeyPair(KeyPairGenerator.java:470)

        at org.zaproxy.zap.extension.dynssl.SslCertificateUtils.createRootCA(Unknown Source)

        at org.zaproxy.zap.extension.dynssl.ExtensionDynSSL.createNewRootCa(Unknown Source)

        at org.zaproxy.zap.extension.dynssl.ExtensionDynSSL.start(Unknown Source)

        at org.parosproxy.paros.extension.ExtensionLoader.startAllExtension(Unknown Source)

        at org.parosproxy.paros.extension.ExtensionLoader.startLifeCycle(Unknown Source)

        at org.parosproxy.paros.control.AbstractControl.loadExtension(Unknown Source)

        at org.parosproxy.paros.control.Control.init(Unknown Source)

        at org.parosproxy.paros.control.Control.initSingletonWithoutViewAndProxy(Unknown Source)

        at org.zaproxy.zap.HeadlessBootstrap.initControl(Unknown Source)

        at org.zaproxy.zap.DaemonBootstrap$1.run(Unknown Source)

        at java.lang.Thread.run(Thread.java:745)

"HSQLDB Timer @7e0e6aa2" #9 daemon prio=5 os_prio=0 tid=0x00007f8af480a800 nid=0x42 in Object.wait() [0x00007f8aaf243000]

   java.lang.Thread.State: TIMED_WAITING (on object monitor)

        at java.lang.Object.wait(Native Method)

        at org.hsqldb.lib.HsqlTimer$TaskQueue.park(Unknown Source)

        - locked <0x00000000861e49b0> (a org.hsqldb.lib.HsqlTimer$TaskQueue)

        at org.hsqldb.lib.HsqlTimer.nextTask(Unknown Source)

        - locked <0x00000000861e49b0> (a org.hsqldb.lib.HsqlTimer$TaskQueue)

        at org.hsqldb.lib.HsqlTimer$TaskRunner.run(Unknown Source)

        at java.lang.Thread.run(Thread.java:745)

"Service Thread" #8 daemon prio=9 os_prio=0 tid=0x00007f8af4187000 nid=0x40 runnable [0x0000000000000000]

   java.lang.Thread.State: RUNNABLE

"C1 CompilerThread2" #7 daemon prio=9 os_prio=0 tid=0x00007f8af4178000 nid=0x3f waiting on condition [0x0000000000000000]

   java.lang.Thread.State: RUNNABLE

"C2 CompilerThread1" #6 daemon prio=9 os_prio=0 tid=0x00007f8af4176000 nid=0x3e waiting on condition [0x0000000000000000]

   java.lang.Thread.State: RUNNABLE

"C2 CompilerThread0" #5 daemon prio=9 os_prio=0 tid=0x00007f8af4173000 nid=0x3d waiting on condition [0x0000000000000000]

   java.lang.Thread.State: RUNNABLE

"Signal Dispatcher" #4 daemon prio=9 os_prio=0 tid=0x00007f8af4171000 nid=0x3c waiting on condition [0x0000000000000000]

   java.lang.Thread.State: RUNNABLE

"Finalizer" #3 daemon prio=8 os_prio=0 tid=0x00007f8af414a800 nid=0x3b in Object.wait() [0x00007f8ae49f8000]

   java.lang.Thread.State: WAITING (on object monitor)

        at java.lang.Object.wait(Native Method)

        - waiting on <0x00000000862789e8> (a java.lang.ref.ReferenceQueue$Lock)

        at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:143)

        - locked <0x00000000862789e8> (a java.lang.ref.ReferenceQueue$Lock)

        at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:164)

        at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:209)

"Reference Handler" #2 daemon prio=10 os_prio=0 tid=0x00007f8af4146000 nid=0x3a in Object.wait() [0x00007f8ae4af9000]

   java.lang.Thread.State: WAITING (on object monitor)

        at java.lang.Object.wait(Native Method)

        - waiting on <0x00000000861c89e8> (a java.lang.ref.Reference$Lock)

        at java.lang.Object.wait(Object.java:502)

        at java.lang.ref.Reference.tryHandlePending(Reference.java:191)

        - locked <0x00000000861c89e8> (a java.lang.ref.Reference$Lock)

        at java.lang.ref.Reference$ReferenceHandler.run(Reference.java:153)

"VM Thread" os_prio=0 tid=0x00007f8af413e800 nid=0x39 runnable

"GC task thread#0 (ParallelGC)" os_prio=0 tid=0x00007f8af401f000 nid=0x35 runnable

"GC task thread#1 (ParallelGC)" os_prio=0 tid=0x00007f8af4020800 nid=0x36 runnable

"GC task thread#2 (ParallelGC)" os_prio=0 tid=0x00007f8af4022800 nid=0x37 runnable

"GC task thread#3 (ParallelGC)" os_prio=0 tid=0x00007f8af4024000 nid=0x38 runnable

"VM Periodic Task Thread" os_prio=0 tid=0x00007f8af4189800 nid=0x41 waiting on condition

JNI global references: 1614

Heap

 PSYoungGen      total 132096K, used 68343K [0x00000000d7400000, 0x00000000e6880000, 0x0000000100000000)

  eden space 126976K, 50% used [0x00000000d7400000,0x00000000db20e250,0x00000000df000000)

  from space 5120K, 93% used [0x00000000df000000,0x00000000df4afa48,0x00000000df500000)

  to   space 11776K, 0% used [0x00000000e5d00000,0x00000000e5d00000,0x00000000e6880000)

 ParOldGen       total 51200K, used 11788K [0x0000000085c00000, 0x0000000088e00000, 0x00000000d7400000)

  object space 51200K, 23% used [0x0000000085c00000,0x0000000086783188,0x0000000088e00000)

 Metaspace       used 32260K, capacity 33852K, committed 34176K, reserved 1079296K

  class space    used 4362K, capacity 4899K, committed 4992K, reserved 1048576K

[guth....@gmail.com]

This really looks like the JVM is getting stuck on reading bytes from the entropy device (usually /dev/random). Haveged is a solution worth trying, as it should be able to harvest or magically create entropy on Linux. Note that this might lower the security of your TLS connections fro ZAP. https://wiki.archlinux.org/index.php/Haveged

[Javi D R]

Thanks

Is there any other solution that could not compromise the security?

Thanks

[Matt Seil]

https://docs.oracle.com/cd/E13209_01/wlcp/wlss30/configwlss/jvmrand.html

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/919e6a2c-4c43-4a20-94f2-626dd970cf7b%40googlegroups.com.

[Javi D R]

Hi

Sorry, i didnt check this before. Yes, it solves the issue

Simon, should a new docker version be released with this fix?

Thanks

[Simon Bennetts]

Sounds like a good idea to me.
I've raised an issue for this: https://github.com/zaproxy/zaproxy/issues/3864