SSL handshake failure

662 views
Skip to first unread message

ZAP user

unread,
May 6, 2016, 1:53:11 AM5/6/16
to OWASP ZAP Developer Group
Hi All,
I'm using ZAP Api to initiate scan. I'm adding the url's to Sites tree using accessUrl() method.
and then calling ascan.scan() to initiate scan. This works fine for HTTP urls. When I try to add HTTPS url which has self signed certificate , it throws "pkix path building failed sun.security.provider.certpath.suncertpathbuilderexception". The same works fine with ZAP UI tool.

Thanks.

thc...@gmail.com

unread,
May 6, 2016, 4:33:47 AM5/6/16
to zaproxy...@googlegroups.com
Hi.

That's because ZAP's Root CA certificate is not trusted.

Following some steps to trust it:

1) Create a keystore with ZAP's cert:
keytool -keystore /path/to/zapkeystore -importcert -alias owaspzap -file
owasp_zap_root_ca.cer

(ZAP's cert can be obtained with a call to the API
http://zap/OTHER/core/other/rootcert/ [1] or saved using the GUI [2])

2) Run the API client with the keystore created previously with the
following command line arguments:
-Djavax.net.ssl.trustStore=/path/to/zapkeystore
-Djavax.net.ssl.trustStorePassword=changeit


For more information about keytool:
https://docs.oracle.com/javase/8/docs/technotes/tools/


[1] https://github.com/zaproxy/zaproxy/wiki/ApiGen_core
[2]
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert#saveexport

Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

ZAP user

unread,
May 6, 2016, 12:13:33 PM5/6/16
to OWASP ZAP Developer Group
Below approach is not seemed to be working. I'm still getting same error.

ZAP user

unread,
May 6, 2016, 12:34:31 PM5/6/16
to OWASP ZAP Developer Group
This time I'm getting error as - 

 java.security.cert.CertPathValidatorException: signature check failed

thc...@gmail.com

unread,
May 6, 2016, 12:44:27 PM5/6/16
to zaproxy...@googlegroups.com
That error can happen if ZAP is using other root CA cert.
Are you sure ZAP is still using the same?
(ZAP generates a new root CA cert if using a new "home" dir.)

Best regards.
> > <mailto:zaproxy-devel...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.

ZAP user

unread,
May 6, 2016, 12:57:56 PM5/6/16
to OWASP ZAP Developer Group
I tried importing the same certificate from ZAP tool to key store and tried calling api. Still gives the same below error,

org.zaproxy.clientapi.core.ClientApiException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

at org.zaproxy.clientapi.core.ClientApi.accessUrlViaProxy(ClientApi.java:268)

at org.zaproxy.clientapi.core.ClientApi.accessUrl(ClientApi.java:111)

at org.zaproxy.clientapi.core.SimpleExample.main(SimpleExample.java:93)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:837)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)

at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)

at org.zaproxy.clientapi.core.ClientApi.accessUrlViaProxy(ClientApi.java:247)

... 2 more

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:260)

at sun.security.validator.Validator.validate(Validator.java:260)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)

... 13 more

Caused by: java.security.cert.CertPathValidatorException: signature check failed

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)

at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:347)

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)

... 19 more

Caused by: java.security.SignatureException: Signature does not match.

at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:451)

at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:160)

at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:139)

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)

... 23 more 
>         > For more options, visit https://groups.google.com/d/optout
>         <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages