Websocket handshake/connection failed
2,493 views
Skip to first unread message
Conny Nykvist
Nov 30, 2012, 4:01:22 AM11/30/12
to zaprox...@googlegroups.com
Hi,
I'm trying to use ZAP to intercept WebSockets, however ZAP seem to be unable to establish the WebSocket handshake. Everything up to the start of WebSocket communication works good (the HTTP requests), but then I see a connection failed.
This is something that I have used ZAP for previously and then it worked fine.
I get this behaviour when testing here, http://www.websocket.org/echo.html , as well.
Any help would be greatly appreciated!
Br,
Conny
robkoch86
Nov 30, 2012, 5:53:17 AM11/30/12
to zaprox...@googlegroups.com
Hello Conny,
I tried with the current weakly release and there was no problem.
How does the handshake request to "https://echo.websocket.org/?encoding=text" look like? There may be problems, when you're behind an explicit (non-transparent) proxy server. Please post the request & response.
Best wishes,
Robert
I tried with the current weakly release and there was no problem.
How does the handshake request to "https://echo.websocket.org/?encoding=text" look like? There may be problems, when you're behind an explicit (non-transparent) proxy server. Please post the request & response.
Best wishes,
Robert
Conny Nykvist
Nov 30, 2012, 4:04:18 PM11/30/12
to zaprox...@googlegroups.com
Hi Robert,
In the history tab of ZAP i don't even see that request actually. I just see the other ones like "GET http://www.websockets.org/echo.html", and that get a 200 OK response. When I view the console in firebug i see "Firefox could not establish a conncetion to the sever on ws://echo.websocket.org/?encoding=text". This error comes right away so it's not like its timed out or similar. If i view the Net tab in firebug i actually see the "http://echo.websocket.org/?encoding=text" which responds with an 200 OK. Request headers are:
Connection:Upgrade
Sec-WebSocket-Extensions:x-webkit-deflate-frame
Sec-WebSocket-Key:UdQPLeNVWygylmxbU5oe2w==
Sec-WebSocket-Version:13
Upgrade:websocket
(Key3):00:00:00:00:00:00:00:00
I removed cookie, host and origin since i didn't think you would need it. I get no response header when using ZAP as proxy. When i don't use ZAP as proxy it works fine using WebSockets.
I also use the latest weekly build, 2012-11-26.
Hopefully you have some good idea on what to try, i'm a bit stuck i'm afraid. Thanks for the help!
Br,
Conny
thc202
Dec 1, 2012, 2:16:48 PM12/1/12
to zaprox...@googlegroups.com
Hi.
Try checking the option "Use secure WebSocket (TLS)".
Best regards.
Try checking the option "Use secure WebSocket (TLS)".
Best regards.
Conny Nykvist
Dec 1, 2012, 4:34:23 PM12/1/12
to zaprox...@googlegroups.com
Hi,
I have tried using both ws and wss, still same problem i'm afraid.
Br,
Conny
Conny Nykvist
Dec 1, 2012, 7:53:18 PM12/1/12
to zaprox...@googlegroups.com
An update:
I tried playing around a bit more with using TLS, if i "manually" go to "https://echo.websocket.org/?encoding=text" in the browser and accept the certificate/warning the browser displays and then try and connect using wss it does work. So i guess wss not working had something to do with the browser refusing the "untrusted" connection or something like that.
I'm still a bit puzzled why it doesnt work using ws though, i have even tried different networks to try and remove any proxy issues.If anyone has any good idea/explanation it would be great!
I'm not stuck not being able to use ZAP at all anymore though, thanks for the help!
Br,
Conny
thc202
Dec 2, 2012, 6:05:40 PM12/2/12
to zaprox...@googlegroups.com
Hi.
Regarding the certificate you may want to import ZAP's Root CA certificate to Firefox [1], this way it will accept/trust all certificates issued by ZAP.
Regarding not working with ws, it seems that it is the same "problem" that I have encountered. Sometimes Firefox tries to establish a persistent tunnel through ZAP (using the HTTP CONNECT method) to the target server (echo.websocket.org:80), but ZAP always handles it as a SSL connection which is not the case and the connection is not established.
If you don't mind the work, you can check the log file (file zap.log located in ZAP's default directory [2], note that it's the weekly) and see if there's a message like the following when trying to connect:
[...]
DEBUG ProxyThread - IOException:
java.io.IOException: Error while establishing SSL connection!
at org.parosproxy.paros.core.proxy.ProxyThread.beginSSL(ProxyThread.java:145)
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:174)
at java.lang.Thread.run(Thread.java:722)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
[...]
If the message is present then it's the same problem. The "workaround" is to check the option "Use secure WebSocket (TLS)" and use wss.
You have to add to the file log4j.properties (located in the same directory as zap.log [2]) the string log4j.logger.org.parosproxy.paros.core.proxy.ProxyThread=DEBUG before starting ZAP.
[1] https://code.google.com/p/zaproxy/wiki/HelpUiDialogsOptionsDynsslcert
[2] https://code.google.com/p/zaproxy/wiki/FAQconfig
Best regards.
Regarding the certificate you may want to import ZAP's Root CA certificate to Firefox [1], this way it will accept/trust all certificates issued by ZAP.
Regarding not working with ws, it seems that it is the same "problem" that I have encountered. Sometimes Firefox tries to establish a persistent tunnel through ZAP (using the HTTP CONNECT method) to the target server (echo.websocket.org:80), but ZAP always handles it as a SSL connection which is not the case and the connection is not established.
If you don't mind the work, you can check the log file (file zap.log located in ZAP's default directory [2], note that it's the weekly) and see if there's a message like the following when trying to connect:
[...]
DEBUG ProxyThread - IOException:
java.io.IOException: Error while establishing SSL connection!
at org.parosproxy.paros.core.proxy.ProxyThread.beginSSL(ProxyThread.java:145)
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:174)
at java.lang.Thread.run(Thread.java:722)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
[...]
If the message is present then it's the same problem. The "workaround" is to check the option "Use secure WebSocket (TLS)" and use wss.
You have to add to the file log4j.properties (located in the same directory as zap.log [2]) the string log4j.logger.org.parosproxy.paros.core.proxy.ProxyThread=DEBUG before starting ZAP.
[1] https://code.google.com/p/zaproxy/wiki/HelpUiDialogsOptionsDynsslcert
[2] https://code.google.com/p/zaproxy/wiki/FAQconfig
Best regards.
Conny Nykvist
Dec 3, 2012, 4:04:14 PM12/3/12
to zaprox...@googlegroups.com
Hi,
I got the exception you mentioned in the logs, so we got the same problem. Thanks again for letting me know this!
Br,
Conny
thc202
Jan 7, 2013, 7:57:33 PM1/7/13
to zaprox...@googlegroups.com
Hi.
Thanks for taking time to look into it.
The issue is now fixed (thanks to Robert). In case you want to try it the new weekly release (as of 2013-01-07) already contains the fix [1].
[1] https://code.google.com/p/zaproxy/downloads/list?q=weekly
Best regards.
Thanks for taking time to look into it.
The issue is now fixed (thanks to Robert). In case you want to try it the new weekly release (as of 2013-01-07) already contains the fix [1].
[1] https://code.google.com/p/zaproxy/downloads/list?q=weekly
Best regards.
Reply all
Reply to author
Forward
0 new messages