Can't generate Dynamic SSL Certificate

[Ramon]

I'm brand new to ZAP installed 2.2.2 on Windows 7 64bit. I'm trying to generate a certificate so that I can scan and actively test internal SSL sites but every time I go to Tools > Options > Dynamic SSL Certificates > Generate, absolutely nothing happens. 

I'm sure I can get any number of utilities to generate a cert and then import it but I want to know if this is something very simple that I'm screwing up or if its a bug.

-Thanks

[Simon Bennetts]

Hi Ramon,

ZAP now generates a root SSL certificate when it first start up, but you can regenerate one at any time using that option page.
What you will need to do is import this into your browser as a trusted CA cert.

If you are using the latest version of Firefox then the easiest way to do this is via the "Plug-n-Hack" button on the ZAP "Quick Start" tab - that will configure Firefox to use ZAP as a proxy as well as importing the cert.
If you are not using Firefox, or want to do the process manually, then see the help included with ZAP, which is also online: http://code.google.com/p/zaproxy/wiki/HelpUiDialogsOptionsDynsslcert

Cheers,

Simon

[Ramon]

Thanks for the response Simon. I uninstalled and reinstalled ZAP 2.2.2 for the sake of starting anew and then followed the help information, including using the Plug-n-hack feature. I'm still unable to browser to HTTPS sites via my proxied Firefox (unsecured sites work fine) and the generate button does nothing on the Dynamic SSL Certificate screen. I'd done as much investigating as I could think t do at this point and added the noted below.

• The Root Certificate Manager in ZAP still is empty. If ZAP automatically generated a cert when it first starts up, would that cert normally appear in this screen? (see the image below)
  
  
• I've searched through Firefox's entire certificate manager and did not find anything related to ZAP
  
  
• I've searched my entire HDD for *.cer files and none related to ZAP were found
  
  
• I opened the config.xml file in my home directory in hopes of finding the cert's location and this is what the certificate section says:
  
  • <certificate>
  • <use>0</use>
  • <clientCertLocation/>
  • <experimentalSlotListIndex>false</experimentalSlotListIndex>
  •     </certificate>
  • The middle line in there (<clientCertLocation/>) is strange, isn't it?
    
    
• The config.xml file from the installation directory is slightly different but also does not contain a certificate location either:
  
• <certificate>
• <use>0</use>
• <clientCertLocation></clientCertLocation>
• <experimentalSlotListIndex>false</experimentalSlotListIndex>
• </certificate>
  
  
• Should clientCertLocation contain the location to the automatically generated certificate?
  

[Simon Bennetts]

Hi Ramon,

Oh, the text area in the screenshot you attached should contain the root cert, so it looks like somethings gone wrong.
Can you have a look in the zap.log file to see if there are any errors?
It will be in the default ZAP directory: http://code.google.com/p/zaproxy/wiki/FAQconfig

Cheers,

Simon

[Ramon]

There are several of blocks of errors similar to this:

013-11-15 08:07:59,324 ERROR ZAP$UncaughtExceptionLogger - Exception in thread "Thread-6"

java.lang.NoSuchMethodError: org.bouncycastle.asn1.x509.V3TBSCertificateGenerator.setSerialNumber(Lorg/bouncycastle/asn1/DERInteger;)V

at org.bouncycastle.cert.X509v3CertificateBuilder.<init>(Unknown Source)

at org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder.<init>(Unknown Source)

at org.zaproxy.zap.extension.dynssl.SslCertificateUtils.createRootCA(Unknown Source)

at org.zaproxy.zap.extension.dynssl.ExtensionDynSSL.createNewRootCa(Unknown Source)

at org.zaproxy.zap.ZAP$1.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

[Simon Bennetts]

Ah, could you have another version of bouncycastle on your java path?
It looks like ZAP is picking up the wrong version.

Cheers,

Simon

[Ramon]

Well, I have searched for *.jar files in the installation directory (C:\Program Files (x86)\OWASP\Zed Attack Proxy\lib) and see that there is bcprov-jdk16-146.jar and also bcmail-jdk16-146.jar.

I also searched the ZAP documentation and didnt get any results for bouncycastle. Is there a reference for the correct bouncycastle versions and where they should reside?

[Simon Bennetts]

ZAP includes the correct version of bouncycastle.

However you might have another version of bouncycastle already installed, eg in your C:\Program Files\Java\jre7\lib directory?
Have a look to see if you can find any bc.*.jar files in your java installation directory.

Cheers,

Simon

[Ramon]

That did the trick. I found the offending older version (bcprov-jdk15on-147), moved it into an archive and then ZAP worked like a charm.

Thanks for the help Simon.

[Simon Bennetts]

No problem, glad its working now :)