Certificate Functionality in Daemon mode
76 views
Skip to first unread message
Eric Mickols
May 16, 2013, 10:20:15 AM5/16/13
to zaproxy...@googlegroups.com
Hi all,
I posted a similar question to this in the User group a couple of days ago, but no one seemed to have an answer for me.
Is there any sort of functionality in ZAP to allow me to submit a certificate while in daemon mode? I cannot find anything on the wiki explaining how to load a PK12 file in daemon mode, nor can I find a way to save a cert while trying to persist a session. I am attempting to create automated security tests, but the sites I will be testing require certificate verification when loading each page. As soon as I turn on ZAP's proxy, I get kicked from the system for no certificate. Since I will be trying to run these automated tests in daemon mode, I cannot just re-set the cert manually either.
Do you guys have any suggestions as to how I might correctly submit a pkcs12 cert in daemon mode?
Thanks,
Eric
thc202
May 16, 2013, 2:44:48 PM5/16/13
to zaproxy...@googlegroups.com
Hi.
No, it's not possible to set the cert while in daemon mode (also answered in the User group, in case others also have the same question).
As a workaround it might be possible to set it to the JVM (which will then be used by ZAP).
You can use the system properties [1] to set your key store:
I didn't test the suggested workaround, so it might not work.
Let me know if you have any problems trying the workaround (if you're willing to try it).
[1] http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization
Best regards.
No, it's not possible to set the cert while in daemon mode (also answered in the User group, in case others also have the same question).
As a workaround it might be possible to set it to the JVM (which will then be used by ZAP).
You can use the system properties [1] to set your key store:
-Djavax.net.ssl.keyStore=/path/to/keystore.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword=keyStorePass
I didn't test the suggested workaround, so it might not work.
Let me know if you have any problems trying the workaround (if you're willing to try it).
[1] http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization
Best regards.
Eric Mickols
May 16, 2013, 3:46:39 PM5/16/13
to zaproxy...@googlegroups.com
Thanks for the suggestion!
I have tried manually importing the certificate to the standard Java Keystore, and that does not work. I'll be trying through the JVM settings via code later today. I'll let you guys know what I find out.
Thanks,
Eric
psiinon
May 16, 2013, 7:28:37 PM5/16/13
to zaproxy...@googlegroups.com
You can create a new root CA cert via the API, and I've recently added an option to read the cert as well.
I have limited access to the internet right now, but if you download the latest weekly release and browse the API then you should find the relevant commands.
The cert is stored in the config.xml file, so what we (at Mozilla) have done is to generate a cert via the UI, import it into Firefox (of course) and then save the config.xml file - we then copy this into the directory we use for running ZAP prior to each test.
We are also working on making it much easier to configure Firefox to use ZAP (and other similar tools). More details soon I hope.
Cheers,
Simon
I have limited access to the internet right now, but if you download the latest weekly release and browse the API then you should find the relevant commands.
The cert is stored in the config.xml file, so what we (at Mozilla) have done is to generate a cert via the UI, import it into Firefox (of course) and then save the config.xml file - we then copy this into the directory we use for running ZAP prior to each test.
We are also working on making it much easier to configure Firefox to use ZAP (and other similar tools). More details soon I hope.
Cheers,
Simon
Eric Mickols
May 21, 2013, 1:06:54 PM5/21/13
to zaproxy...@googlegroups.com
Oh, to clarify a bit: I am not talking about a root cert. That works all right, I have it all imported.
I am talking about submitting an end-user certificate to a web app that requires it as a part of their security validation when ZAP is in Daemon Mode. Through the UI you would go to Tools -> Options -> Certificate -> Use Client Certificate and then add/set the pkcs12 cert.
Eric Mickols
May 30, 2013, 10:29:35 AM5/30/13
to zaproxy...@googlegroups.com
So, I'm going to see if I can get some development time in on this over the next couple of days. Is there a proper way to get a change like this started? Shoudl I submit an issue, and then begin work to resolve it? I have gotten the source code, and I have identified where/how the certificate is otherwise set and loaded. I am still working on tracking down where the args of the main program are actually all being interpreted, though.
My plan as it stands is to just add another few flags onto the executable args. Allow a -CertificateFilePath and -CertificatePassword to be passed in when calling Zap.exe, so that it will automatically initialize with the PKCS12 cert and submit it for https requests when needed.
Would this be acceptable, or is there a better way to add cert functionality to daemon mode?
thanks,
Eric
psiinon
May 30, 2013, 10:40:38 AM5/30/13
to zaproxy...@googlegroups.com
Quick reply as I have limited internet access right now :)
Yes, an 'enhancement request' issue is a good way to get started.
Setting the cert via the command line as you've proposed is good.
Would also be nice to set it via the API, but that would be more work.
You can attach your proposed code changes to either the bug or this thread.
We're trying to encourage more changes to be made as add-ons to keep the 'core' as stable as possible, but this is may well be a case where these changes would be best made in the core.
Thanks for getting involved, and please let us know if you have any questions,
Simon
Yes, an 'enhancement request' issue is a good way to get started.
Setting the cert via the command line as you've proposed is good.
Would also be nice to set it via the API, but that would be more work.
You can attach your proposed code changes to either the bug or this thread.
We're trying to encourage more changes to be made as add-ons to keep the 'core' as stable as possible, but this is may well be a case where these changes would be best made in the core.
Thanks for getting involved, and please let us know if you have any questions,
Simon
Reply all
Reply to author
Forward
0 new messages