ZAP not connecting to application using TLS1.0
1,328 views
Skip to first unread message
Screaming Eagle
Mar 24, 2021, 3:47:29 PM3/24/21
to OWASP ZAP User Group
Hello, I am running Kali with JAVA 11
I am getting this error:
The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12, SSL20Hello]
Root cause:
SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12, SSL20Hello]
I think the application is supporting only TLS1.0, and either ZAP or Java 11 (if ZAP uses java) is not supporting TLS1.0.
Note: I have unchecked TLS1.2,1.1,1.3 on Zap under options, connection setting.
Any idea on how to scan an application that support only TLS1.0?
Thanks,
KC
kingthorin+owaspzap
Mar 24, 2021, 4:42:09 PM3/24/21
to OWASP ZAP User Group
You can set that in ZAP's options. Both in general and on individual proxies if you have multiple configured:
Screaming Eagle
Mar 25, 2021, 12:03:44 PM3/25/21
to OWASP ZAP User Group
Hello, Kingthorin.
I did check the option > connection > security protocol. They are selected.
I am not using proxy.
I tested this on another zap with openjdk 11.0.10 2021-01-19 and the testing works, I am able to connect to the target which supports only TLS1.0.
The ZAP which failed is using opnjdk 11.0.11-ea. I suspect that support for TLS1.0 is dropped on version 11.0.11? Can anyone confirm?
Thanks,
KC
thc...@gmail.com
Mar 25, 2021, 12:14:17 PM3/25/21
to zaprox...@googlegroups.com
Yes, refer to:
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343
You have to remove them from the disabled algorithms property in the
java.security configuration file.
Best regards.
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343
You have to remove them from the disabled algorithms property in the
java.security configuration file.
Best regards.
Screaming Eagle
Mar 25, 2021, 12:43:41 PM3/25/21
to OWASP ZAP User Group
OK, I found the cause, JAVA version I am at drop TLS 1.0 and TLS 1.1 support.
This is not good if the security relies on Java and you're trying to test a target that uses TLS1.0 and TLS1.1
Any idea other than go install previous version of java and see if it can run current ZAP version?
On Wednesday, March 24, 2021 at 4:42:09 PM UTC-4 kingthorin+owaspzap wrote:
Simon Bennetts
Mar 25, 2021, 12:47:31 PM3/25/21
to OWASP ZAP User Group
ZAP currently supports Java 8+
It relies on Java 8 features so will not run on versions older than that.
ZAP is implemented in java so it kind of has to depend on it ;)
thc...@gmail.com
Mar 25, 2021, 12:51:28 PM3/25/21
to zaprox...@googlegroups.com
That's not correct, Java 11.0.11-ea still supports TLS 1.0 and 1.1, they
are just disabled by default. You can still enable them as mentioned in
the previous post.
Best regards.
are just disabled by default. You can still enable them as mentioned in
the previous post.
Best regards.
Reply all
Reply to author
Forward
0 new messages