AlpnHandlerImpl - ALPN enabled and no protocol negotiated
235 views
Skip to first unread message
Timothy Shiner
Jan 12, 2023, 1:12:11 PM1/12/23
to OWASP ZAP User Group
Hello!
My organization uses Azure DevOps pipelines for application deployment, which we have developed a PowerShell module to assist in scanning internal URLs with ZAP This was working well until recently (I can't recall the exact date it stopped due to lack of runs over the holidays) when the Invoke-WebRequest calls from PowerShell fail with the following exception:
Invoke-WebRequest : The request was aborted: The request was canceled.
Upon investigating this further I see this statement in the ZAP logs for each request:
313741 [ZAP-IO-2-8] WARN org.zaproxy.addon.network.internal.handlers.TlsProtocolHandler.AlpnHandlerImpl - ALPN enabled and no protocol negotiated, closing connection.
I am able to drop the ZAP API URL in a browser and it pulls up without issues. Here is my test PowerShell that invokes this error:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$response = Invoke-WebRequest -uri "https://zap.mydomain.org/"
$response = Invoke-WebRequest -uri "https://zap.mydomain.org/"
If I hop into the ZAP Options > Network > Local Servers/Proxies > Proxy Properties and uncheck 'ALPN > Enable TLS ALPN extension' I am able to make connections from PowerShell. As far as I can tell from my PowerShell research it using HTTP/1.1 and I am manually setting the TLS protocol to be 1.2.
What I am looking for here is:
1. Any assistance on what I might need to add/modify in my PowerShell scripts to successfully call the ZAP API.
2. A configuration to add to my zaproxy.conf to disable 'ALPN > Enable TLS ALPN extension' on the main proxy properties until I can figure out how to adapt my the script.
Thank you for any assistance, and please let me know any additional information that I can provide for any assistance.
Thank you!
- Tim
thc...@gmail.com
Jan 12, 2023, 3:18:37 PM1/12/23
to zaprox...@googlegroups.com
Hi.
1. I took a quick look at the docs and I didn't find anything to set the
protocols that should be negotiated (it doesn't not seem to support
HTTP/2 either, which would be an indication of ALPN support).
2. You can disable with the following:
network.localServers.mainProxy.alpn.enabled=false
https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/
Best regards.
1. I took a quick look at the docs and I didn't find anything to set the
protocols that should be negotiated (it doesn't not seem to support
HTTP/2 either, which would be an indication of ALPN support).
2. You can disable with the following:
network.localServers.mainProxy.alpn.enabled=false
https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/
Best regards.
Andreas Magnusson
Feb 8, 2023, 4:34:15 AM2/8/23
to OWASP ZAP User Group
Only problem for us is that it doesn't take when running in Docker (weekly) like this:
So it seems that we are stuck with 2.11.* until the default is changed (or we can affect it through ClientApi)
entrypoint: [ "zap-x.sh", "-daemon", "-host", "0.0.0.0", "-port", "8080",
"-config", "api.addrs.addr.name=.*",
"-config", "api.addrs.addr.regex=true",
"-config", "api.disablekey=true",
"-config", "network.localServers.mainProxy.alpn.enabled=false" ]
Odd thing is that I see that it's added to the config.xml but is overwritten later. Maybe because the <localServers> has a "version=1" attribute on it? Who knows.
thc...@gmail.com
Feb 8, 2023, 4:48:46 AM2/8/23
to zaprox...@googlegroups.com
Sorry, for the time being you also need to add:
-config network.localServers.mainProxy.address=0.0.0.0
Best regards.
-config network.localServers.mainProxy.address=0.0.0.0
Best regards.
Andreas Magnusson
Feb 8, 2023, 5:35:05 AM2/8/23
to OWASP ZAP User Group
I'll test that, thank you!
Reply all
Reply to author
Forward
0 new messages