How to use zap as proxy to debug https traffic for a mobile app

[Wang Kevin]

Hello,

I need to get the https traffic from a mobile app. So I used the zap as the proxy. I installed the CA on the cellphone which is generated from zap. But when I open some https web on the cellphone, the CA seems not working. If I open some non-https web, everything is ok. Do you know if there is some guide for such issues?

Thanks a lot!

[Simon Bennetts]

We have a FAQ for that: https://www.zaproxy.org/faq/can-zap-be-used-to-test-mobile-apps/

We actually need to update the FAQ to include this video from ZAPCon: https://youtu.be/KWofjrHNNqs

Cheers,

Simon

[Wang Kevin]

HI Simon,

Thanks so much for your help. I followed the video completely to make the setup on zap and mobile device. Also, I checked the link https://www.zaproxy.org/faq/how-to-connect-to-an-https-site-that-reports-a-handshake-failure/. But I still get the error:

SSLHandshakeException: Received fatal alert: handshake_failure

I copied the log of launching my zap below. Do you have any suggestion for my to resolve the issue? Thanks a lot!

Found Java version 15.0.1
Available memory: 15802 MB
Using JVM args: -Xmx3950m
Ignoring legacy log4j.properties file, backup already exists.
2813 [main] INFO  org.zaproxy.zap.GuiBootstrap - OWASP ZAP 2.10.0 started 25/03/2021, 09:52:35 with home /home/wy/.ZAP/
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.zaproxy.zap.GuiBootstrap (file:/home/xxx/.ZAP/plugin/ZAP_2.10.0/zap-2.10.0.jar) to field sun.awt.X11.XToolkit.awtAppClassName
WARNING: Please consider reporting this to the maintainers of org.zaproxy.zap.GuiBootstrap
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
3814 [AWT-EventQueue-0] INFO  org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...
3814 [AWT-EventQueue-0] INFO  org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...
4154 [AWT-EventQueue-0] INFO  org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
4160 [AWT-EventQueue-0] INFO  org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation enabled.
4692 [AWT-EventQueue-0] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start
4737 [AWT-EventQueue-0] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start
4776 [AWT-EventQueue-0] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end
4777 [AWT-EventQueue-0] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end
5668 [AWT-EventQueue-0] INFO  org.parosproxy.paros.view.View - Initialising View
7746 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.control.ExtensionFactory - Loading extensions
8697 [ZAP-BootstrapGUI] WARN  org.zaproxy.zap.extension.script.ExtensionScript - No default JavaScript/ECMAScript engine found, some scripts might no longer work.
9034 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=alertFilters, version=10.0.0], [id=ascanrules, version=38.0.0], [id=bruteforce, version=10.0.0], [id=commonlib, version=1.2.0], [id=diff, version=10.0.0], [id=directorylistv1, version=4.0.0], [id=domxss, version=10.0.0], [id=encoder, version=0.4.0], [id=formhandler, version=3.0.0], [id=fuzz, version=13.1.0], [id=gettingStarted, version=12.0.0], [id=graaljs, version=0.1.0], [id=graphql, version=0.2.0], [id=help, version=11.0.0], [id=hud, version=0.12.0], [id=importurls, version=7.0.0], [id=invoke, version=10.0.0], [id=onlineMenu, version=8.0.0], [id=openapi, version=17.0.0], [id=pscanrules, version=31.0.0], [id=quickstart, version=29.0.0], [id=replacer, version=8.0.0], [id=retire, version=0.6.0], [id=reveal, version=3.0.0], [id=saverawmessage, version=5.0.0], [id=savexmlmessage, version=0.1.0], [id=scripts, version=27.0.0], [id=selenium, version=15.3.0], [id=soap, version=4.0.0], [id=spiderAjax, version=23.2.0], [id=tips, version=7.0.0], [id=webdriverlinux, version=23.0.0], [id=websocket, version=22.0.0], [id=zest, version=33.0.0]]
9188 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.control.ExtensionFactory - Extensions loaded
9714 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates
9785 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension
10331 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension
10339 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP
10360 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension
10364 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Report Extension
10369 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension
10524 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields
10533 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions
10599 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses
10672 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner
10722 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules
10723 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule
10727 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure
10732 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control and Pragma HTTP Header Set
10736 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch
10739 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: CSP
10743 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing
10746 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag
10750 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie
10753 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute
10757 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag
10762 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration
10767 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion
10770 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens
10774 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure
10778 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite
10782 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages
10787 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL
10791 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header
10799 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments
10810 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method
10813 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState
10816 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content
10818 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure
10821 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Username Hash Found
10824 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Viewstate
10831 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header
10835 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing
10840 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak
10844 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header
10848 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
10853 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library
10856 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: WSDL File Detection
10907 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts
11099 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added
11204 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site
11298 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks
11309 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool
11351 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension
11355 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences
11359 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters
11378 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens
11396 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension
11414 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
11430 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser
11473 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only
11476 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension
11479 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies
11492 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration
11510 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages
11666 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension
11676 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions
11711 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language, originally, from Mozilla specifically designed to be used in security tools
11898 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff
11901 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension
11908 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP.
11974 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension
11981 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
11983 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension
12011 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.
12233 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree
12238 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a WSDL file containing operations which ZAP will access, adding them to the Sites tree.
12243 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.
12245 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension
12247 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax
12354 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
12376 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations
12400 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs
12412 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree
12415 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide
12554 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a URL suitable for calling from target sites
12585 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts
12648 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension
12685 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension
12717 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension
12723 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension
12732 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension
12744 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension
12768 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension
12854 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.
12864 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration
12872 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics
12878 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats
12880 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Custom Pages Definition
12882 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules
12884 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications
13007 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan
13015 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
13017 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Launch browsers proxying through ZAP
13068 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions
13076 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage
13081 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing DOM XSS Active Scan Rule
13117 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules
13119 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to inspect and attack GraphQL endpoints.
13136 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.
13153 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter
13162 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links
13166 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks
13167 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display
13206 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch
13207 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.
13218 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz HTTP messages.
13269 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the GraalVM JavaScript engine for ZAP scripting.
13417 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses
13426 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows to fuzz WebSocket messages.
13427 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage
13431 [ZAP-BootstrapGUI] INFO  org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide
13436 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.callback.ExtensionCallback - Started callback server on 0.0.0.0:40449
13437 [ZAP-BootstrapGUI] INFO  org.zaproxy.zap.extension.keyboard.ExtensionKeyboard - Initializing keyboard shortcuts
15604 [AWT-EventQueue-0] INFO  org.parosproxy.paros.control.Control - New Session
15610 [AWT-EventQueue-0] INFO  org.parosproxy.paros.control.Control - Create and Open Untitled Db
15682 [AWT-EventQueue-0] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start
15724 [AWT-EventQueue-0] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end
15800 [AWT-EventQueue-0] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - Database closed
16017 [AWT-EventQueue-0] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start
16042 [AWT-EventQueue-0] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start
16093 [AWT-EventQueue-0] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end
16093 [AWT-EventQueue-0] INFO  hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end
22290 [ZAP-ProxyThread-1] WARN  org.parosproxy.paros.core.proxy.ProxyThread - An exception occurred while attempting to connect to: https://xxx.xxx.com:8773/xxx
The exception was:
Received fatal alert: handshake_failure
Root cause:
SSLHandshakeException: Received fatal alert: handshake_failure
The following document may be of assistance in resolving this failure:
https://www.zaproxy.org/faq/how-to-connect-to-an-https-site-that-reports-a-handshake-failure/

[Simon Bennetts]

No, I'm afaid I dont use ZAP for testing mobile apps and have not hit this problem.

Any one else able to help?

[Screaming Eagle]

What Java version are you using?

I ran into a similar problem when the target app I am scanning only supports TLS1.0 and 1.1.  The latest Java updates took away support for TLS 1.0 and 1.1 and Zap requires java to run.

[Wang Kevin]

Hi, TLS1.2 is used by app. And my java is :

java version "15.0.1" 2020-10-20
Java(TM) SE Runtime Environment (build 15.0.1+9-18)
Java HotSpot(TM) 64-Bit Server VM (build 15.0.1+9-18, mixed mode, sharing)