the dynamically generated certificates raise a NET::ERR_CERT_COMMON_NAME_INVALID in chrome 76

[Delia Vasile]

Hello, 

I imported the ZAP root certificate as a trusted authority in google chrome 67 on Ubuntu, but when I am trying to navigate to the website that I want to attack with ZAP, I am getting a security error from chrome: NET:ERR_CERT_COMMON_NAME_INVALID that the certificate does not specify Subject Alternative Names - you can see it in the attached screenshot. 

Is there a solution for this issue? Chrome in headless mode does not start properly because of this error. 

[kingthorin+owaspzap]

1) You forgot to redact the target in the bottom half of your image.

2) Click "Proceed to ________ (Unsafe)"

[Simon Bennetts]

You need to import the cert into the "Trusted Root Certificate Authorities" store - is that the one you used?

[Delia Vasile]

Yes, I realised afterwards. Still I checked the sources of zaproxy on github and it looks like subject alternative name is added:

https://github.com/zaproxy/zaproxy/blob/develop/src/org/parosproxy/paros/security/SslCertificateServiceImpl.java

I just tested with zap version 2.7.0 for mac and I can see the Subject Alternative Name in Chrome when I inspect the certificate, I tested also with the owasp/zap2docker stable image which has zap 2.7.0 and it is fixed, after I import the zap root certificate, chrome doesn't give any errors. I got the error when I tested with version 2.4.0 

Any idea in which version was this fixed? 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/e3c5600a-abff-4ecf-ba5d-0616f2a597ef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[thc...@gmail.com]

That was fixed in 2.6.0:
https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0

Any special reason to use 2.4.0?

Best regards.

>> <https://groups.google.com/d/msgid/zaproxy-users/e3c5600a-abff-4ecf-ba5d-0616f2a597ef%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .

[Delia Vasile]

We have all kinds of corporate rules and I need to get the version with the fix approved such that it becomes available on our internal repository. Boring organisational stuff :)

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/912dcf10-3e36-fadf-2715-bf04cd041af1%40gmail.com.

[Simon Bennetts]

Unfortunately we're a relatively small team and can therefore only support the latest version of ZAP.

Good luck getting it approved :)

>> email to zaproxy-users+unsubscribe@googlegroups.com.

>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/zaproxy-users/e3c5600a-abff-4ecf-ba5d-0616f2a597ef%40googlegroups.com
>> <https://groups.google.com/d/msgid/zaproxy-users/e3c5600a-abff-4ecf-ba5d-0616f2a597ef%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.