Issue 704: ZAP Error: handshake alert: unrecognized_name

[psiinon]

Someones just reported an issue where ZAP fails to connect to certain websites using SSL (Issue 704) - not sure if I can give an example yet ;)
The fix appears to be simple - just setting a JVM argument:

-Djsse.enableSNIExtension=false

Anyone think of a reason not to do this fix in the code?

Cheers,

Simon

[Stephen de Vries]

Sounds like it would break some modern sites, while allowing scanning on legacy TLS sites (if I've understood the docs right):

"* jsse.enableSNIExtension system property. Server Name Indication (SNI) is a TLS extension, defined in RFC 4366. It enables TLS connections to virtual servers, in which multiple servers for different network names are hosted at a single underlying network address.
Some very old SSL/TLS vendors may not be able handle SSL/TLS extensions. In this case, set this property to false to disable the SNI extension."

So IMO, better to leave it true by default and have the user set the JVM argument to false for legacy sites that don't play well.


http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html

[psiinon]

Good spot :)

In that case keeping the code as is and just putting this in a FAQ looks like the best option.

Cheers,

Simon