How to use/generate ZAP SSL Certificates on *nix machine in daemon mode?
1,848 views
Skip to first unread message
czlowi...@gmail.com
Jan 19, 2015, 9:36:44 AM1/19/15
to zaprox...@googlegroups.com
Hi,
I am trying to setup ZAP in daemon mode to act as a proxy. I have it running on AWS EC2 instance,
configured my browser to use it, but hit the wall with SSL errors (ssl_error_rx_record_too_long in Firefox).
On project WIKI I have found info that I need to generate a root certificate in/through ZAP (?), but on some
other posts on developers list I read ZAP is shipping with certificates I could use (import to browser).
Unfortunately it seems I cannot find neither any way in CLI to do so nor the certificates. My questions are:
1. Are there certificates shipped with ZAP I could use to import to browser?
2. Can I somehow (in an easy way) generate those in CLI?
3. How to supply certificates generated via GUI to CLI setup? If 2. is a no-go.
a. Where to put them or how to point ZAP (config.xml) to use them after I have generated them "outside"?
It seems the way is to can generate them in GUI (let say on may Windows box) and add them to whatever other ZAP
setup I have. But not 100% sure how to do so.
I hope I am clear enough about what I am trying to achieve, but if not please let me know so I can elaborate.
Thanks for any info and tips on this topic!
Best regards,
Dawid
I am trying to setup ZAP in daemon mode to act as a proxy. I have it running on AWS EC2 instance,
configured my browser to use it, but hit the wall with SSL errors (ssl_error_rx_record_too_long in Firefox).
On project WIKI I have found info that I need to generate a root certificate in/through ZAP (?), but on some
other posts on developers list I read ZAP is shipping with certificates I could use (import to browser).
Unfortunately it seems I cannot find neither any way in CLI to do so nor the certificates. My questions are:
1. Are there certificates shipped with ZAP I could use to import to browser?
2. Can I somehow (in an easy way) generate those in CLI?
3. How to supply certificates generated via GUI to CLI setup? If 2. is a no-go.
a. Where to put them or how to point ZAP (config.xml) to use them after I have generated them "outside"?
It seems the way is to can generate them in GUI (let say on may Windows box) and add them to whatever other ZAP
setup I have. But not 100% sure how to do so.
I hope I am clear enough about what I am trying to achieve, but if not please let me know so I can elaborate.
Thanks for any info and tips on this topic!
Best regards,
Dawid
Simon Bennetts
Jan 21, 2015, 4:54:21 AM1/21/15
to zaprox...@googlegroups.com
If we shipped one standard certificate then anyone could use that to fake other sites which any browser that trusted the 'one ZAP root cert' would trust - very bad.
So we dont :)
ZAP generates a unique root cert just for you the first time it is run.
You can download this cert via the API using:
ZAP stores the root cert in the config.xml file.
We dont currently have a way to import root certs except from another ZAP config file - theres a related enhancement request: https://code.google.com/p/zaproxy/issues/detail?id=190
So you could create a root cert on one machine, import it into your browser(s) and then reuse it on other ZAP instances on other machines.
Does that help?
Cheers,
Simon
So we dont :)
ZAP generates a unique root cert just for you the first time it is run.
You can download this cert via the API using:
- http://zap/OTHER/core/other/rootcert/ (if you are proxying through ZAP)
- http://<zap-host>:<zap-port>/OTHER/core/other/rootcert/
ZAP stores the root cert in the config.xml file.
We dont currently have a way to import root certs except from another ZAP config file - theres a related enhancement request: https://code.google.com/p/zaproxy/issues/detail?id=190
So you could create a root cert on one machine, import it into your browser(s) and then reuse it on other ZAP instances on other machines.
Does that help?
Cheers,
Simon
Dawid Romaldowski
Jan 21, 2015, 6:56:03 AM1/21/15
to zaprox...@googlegroups.com
On 21 January 2015 at 10:54, Simon Bennetts <psi...@gmail.com> wrote:
If we shipped one standard certificate then anyone could use that to fake other sites which any browser that trusted the 'one ZAP root cert' would trust - very bad.
So we dont :)
Gotcha ;). I misunderstood the topic I've read, it was actually referring to the certificate generated in ZAP (not "shipped" with)
ZAP generates a unique root cert just for you the first time it is run.
Hm, seems it did not do it for me. Might it be that when running with "-daemon" it does not generate anything?
You can download this cert via the API using:
- http://zap/OTHER/core/other/rootcert/ (if you are proxying through ZAP)
- http://<zap-host>:<zap-port>/OTHER/core/other/rootcert/
I get a blank page.
You can also regenerate the root CA cert via the API.
If you refer to the "button" visible here: http://zap/UI/core/other/rootcert/
it does nothing for me.
ZAP stores the root cert in the config.xml file.
/opt/ZAP_2.3.1> cat xml/config.xml | grep -i cer
<certificate>
<clientCertLocation></clientCertLocation>
</certificate>
We don't currently have a way to import root certs except from another ZAP config file - theres a related enhancement request: https://code.google.com/p/zaproxy/issues/detail?id=190
So you could create a root cert on one machine, import it into your browser(s) and then reuse it on other ZAP instances on other machines.
"reuse" as in put somewhere to $ZAP_HOME and add its location to config.xml?
Does that help?
Yes, a bit!
Cheers,
Simon
Dawid
Simon Bennetts
Jan 21, 2015, 1:16:27 PM1/21/15
to zaprox...@googlegroups.com
Ugh, turns out that the root cert does NOT get generated in daemon mode - thats a bug and I'll fix that asap.
You can specify the directory ZAP should use via the -dir command line parameter, so you could copy the config file from another machine to mydir (local directory) and then run ZAP using:
./zap.sh -dir mydir
(or zap.bat on Windows)
You can specify the directory ZAP should use via the -dir command line parameter, so you could copy the config file from another machine to mydir (local directory) and then run ZAP using:
./zap.sh -dir mydir
(or zap.bat on Windows)
Dawid Romaldowski
Jan 22, 2015, 4:18:59 AM1/22/15
to zaprox...@googlegroups.com
Ugh, turns out that the root cert does NOT get generated in daemon mode - thats a bug and I'll fix that asap.
That's cool! Thanks!
You can specify the directory ZAP should use via the -dir command line parameter, so you could copy the config file from another machine to mydir (local directory) and then run ZAP using:
./zap.sh -dir mydir
(or zap.bat on Windows)
Thanks for the tips and clarification!
Cheers!
Dawid
William Aldrich
Feb 23, 2015, 4:27:54 PM2/23/15
to zaprox...@googlegroups.com
First let me state, I'm new with ZAProxy, but looks to be a great tool!
Did this issue ever get fixed? Could this be why I get an error (Error code: ssl_error_rx_record_too_long) when I try to go to an https site if the proxy I'm using was started from command line with -daemon in the command line?
Thanks,
-Bill
Simon Bennetts
Feb 24, 2015, 4:35:32 AM2/24/15
to zaprox...@googlegroups.com
Yes it did :)
https://code.google.com/p/zaproxy/issues/detail?id=1514
Its fixed in the latest weekly release, so you can try it out right now.
FYI we're getting very close to the next release (2.4.0) so the weekly releases are very stable.
If you have any problems with them then please report them asap.
Cheers,
Simon
https://code.google.com/p/zaproxy/issues/detail?id=1514
Its fixed in the latest weekly release, so you can try it out right now.
FYI we're getting very close to the next release (2.4.0) so the weekly releases are very stable.
If you have any problems with them then please report them asap.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages