ZAP Error: Connection Reset

[Malcolm Joyce]

Hi,

I was wondering if anyone has the same issue as this:

I can connect to a website with no issues but when I try via proxy I get the error "ZAP Error: Connection reset"

This only happens on secure sites, for example https://uat.r2tec.com/r2webposuat/servlet/hindex

I am trying to scan several sites and get this error on some if them only. All the sites are owned by the same company.

Also, this happens on whichever browser I try. I have tried Chrome, Firefox, IE and Ultra Simple Web Browser.

Any ideas?

Kindest regards

Malcolm

[Kevin W. Wall]

Malcolm,

Any of these sites require client-side SSL certificates? Because that's not going to work for sure.

-kevin
Sent from my Droid; please excuse typos.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Malcolm Joyce]

Hi Kevin,

Thanks for the prompt reply.

Unfortunately, they don't use client side SSL.

Any other ideas?

Kindest regards

Malcolm

[Kevin W. Wall]

Malcolm,

The only other thing that I'm aware of that would consistently cause https connections to fail would be if you have something in your browser that is doing certificate pinning, such as a browser plug-in. (I also think that Google's Chromium browser does certificate pinning as a default,  at least for some sites.)

Is there anything relevant in the ZAP logs?

-kevin
Sent from my Droid; please excuse typos.

[thc202]

Hi.

It seems that the server doesn't like how ZAP (more precisely the JSSE implementation) is doing the SSL handshake (when starting with TLSv1).

Following the exchanged SSL messages (captured with Wireshark) when connecting with Firefox:
               Firefox                             Server
1. (TLSv1) Client Hello           --------->
2.                                             (SSLv3) Server Hello,
                                  <---------   Certificate, Server Hello Done
3. (SSLv3) Client Key Exchange,
   Change Cipher Spec,
   Encrypted Handshake Message    --------->
4.                                             Change Cipher Spec,
                                  <---------   Encrypted Handshake Message
5. Application Data               --------->
[...]

And with ZAP:
               ZAP                                 Server
1. (TLSv1) Client Hello           --------->
2.                                             (SSLv3) Server Hello,
                                  <---------   Certificate, Server Hello Done
3. (SSLv3) Client Key Exchange    --------->
4. Change Cipher Spec             --------->
5. Encrypted Handshake Message    --------->
6. Server rst connection.


Might be a bug in the server side? From the rfc6101 [1] it doesn't seem that the client must send the handshake (and cipher) messages in only one SSL message.

If ZAP starts with SSLv3 it works fine.
I've created an issue [2] to allow to set the enabled SSL/TLS protocols so this issue can be workaround by deselecting TLSv1.


[1] https://tools.ietf.org/html/rfc6101
[2] https://code.google.com/p/zaproxy/issues/detail?id=968

Best regards.