Can't establish proxy TLS connection to some websites.
397 views
Skip to first unread message
dtososkymesh
Nov 2, 2016, 1:16:22 AM11/2/16
to OWASP ZAP User Group
Hi All,
Asked on SuperUser.com and getting no traction: OWASP ZAP can't establish proxy TLS connection to some websites.
Java 8, ZAP 2.5.0. Full procedure I'm using to reliably reproduce the issue (using Docker) is given in that post.
Dynamic SSL root CA exported and installed into Firefox - can proxy https://google.com with no issues.
This HTTPS site can't be proxied: NBN Co Customer Portal
Browser gets a 200 Ok (text/plain) response from ZAP, which in turn records an internally generated 502 Bad Gateway:
ZAP Error [javax.net.ssl.SSLException]: Received fatal alert: close_notify Stack Trace: javax.net.ssl.SSLException: Received fatal alert: close_notify at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2011) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1113) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at org.parosproxy.paros.network.SSLConnector.createSocket(Unknown Source) at org.apache.commons.httpclient.HttpConnection.open(Unknown Source) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Unknown Source) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown Source) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.parosproxy.paros.network.HttpSender.executeMethod(Unknown Source) at org.parosproxy.paros.network.HttpSender.runMethod(Unknown Source) at org.parosproxy.paros.network.HttpSender.send(Unknown Source) at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source) at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source) at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source) at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source) at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source) at java.lang.Thread.run(Thread.java:745)
Based on other posts, I've tried every possible combination of enabled/disabled SSL/TLS protocols in the 'Local proxy' Options tab.
Can anyone tell me what's actually going on here?
Is that the upstream website closing down TLS negotiation? (PK Cert pinning?)
Is there some tweak I could make to the Java environment or to the ZAP config to make this work?
Experiencing much frustration and appreciate any help I can get.
-David
thc...@gmail.com
Nov 2, 2016, 9:58:04 AM11/2/16
to zaprox...@googlegroups.com
Hi.
The Local Proxy options just apply to connections between ZAP and the
client (e.g. browser). That seems to be a failure between ZAP and the
server, could you try enable just "TLS 1" in Connection options panel?
Best regards.
On 02/11/16 05:16, dtososkymesh wrote:
>
> Hi All,
>
> Asked on SuperUser.com and getting no traction:OWASP ZAP can't establish
> proxy TLS connection to some websites
> <http://superuser.com/questions/1140454/owasp-zap-cant-establish-proxy-tls-connection-to-some-websites>.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/b3849afa-67e5-4c2d-a233-cbaad311b76d%40googlegroups.com
> <https://groups.google.com/d/msgid/zaproxy-users/b3849afa-67e5-4c2d-a233-cbaad311b76d%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
The Local Proxy options just apply to connections between ZAP and the
client (e.g. browser). That seems to be a failure between ZAP and the
server, could you try enable just "TLS 1" in Connection options panel?
Best regards.
On 02/11/16 05:16, dtososkymesh wrote:
>
> Hi All,
>
> Asked on SuperUser.com and getting no traction:OWASP ZAP can't establish
> proxy TLS connection to some websites
>
> Java 8, ZAP 2.5.0. Full procedure I'm using to reliably reproduce the
> issue (using Docker) is given in that post.
>
> Dynamic SSL root CA exported and installed into Firefox - can proxy
> https://google.com with no issues.
>
> This HTTPS site can't be proxied: NBN Co Customer Portal
> <https://login.nbnco.net.au/portal-login?resource_url=http%3A%2F%2Fwww1.nbnco.com.au%252Fonline_customers%252Fpage%252Fhome>
> Java 8, ZAP 2.5.0. Full procedure I'm using to reliably reproduce the
> issue (using Docker) is given in that post.
>
> Dynamic SSL root CA exported and installed into Firefox - can proxy
> https://google.com with no issues.
>
> This HTTPS site can't be proxied: NBN Co Customer Portal
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/b3849afa-67e5-4c2d-a233-cbaad311b76d%40googlegroups.com
> <https://groups.google.com/d/msgid/zaproxy-users/b3849afa-67e5-4c2d-a233-cbaad311b76d%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
dtososkymesh
Nov 2, 2016, 10:13:48 AM11/2/16
to OWASP ZAP User Group
Thanks thc202, that was exactly the problem.
So if I've understood correctly, the webserver at login.nbnco.net.au:442 doesn't accept TLS 1.1 or 1.2.
-David
So if I've understood correctly, the webserver at login.nbnco.net.au:442 doesn't accept TLS 1.1 or 1.2.
-David
thc...@gmail.com
Nov 2, 2016, 10:56:17 AM11/2/16
to zaprox...@googlegroups.com
It seems so, HTTPS Info add-on [1] also reports TLS 1.0 as the only
supported version.
[1]
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo
Best regards.
> <https://groups.google.com/d/msgid/zaproxy-users/f9d77750-1dbb-4557-be28-f251495cad2e%40googlegroups.com?utm_medium=email&utm_source=footer>.
supported version.
[1]
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo
Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/f9d77750-1dbb-4557-be28-f251495cad2e%40googlegroups.com
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/zaproxy-users/f9d77750-1dbb-4557-be28-f251495cad2e%40googlegroups.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages