javax.net.ssl.SSLException: Received fatal alert: internal_error - when calling ZAP Web API
2,390 views
Skip to first unread message
Vincent John Ramos
May 30, 2018, 12:12:17 AM5/30/18
to OWASP ZAP User Group
Hello,
I'm experiencing a problem when using the ZAP APIs on a environment that is SSL enabled. It works fine on a non-SSL environment.
I'm experiencing a problem when using the ZAP APIs on a environment that is SSL enabled. It works fine on a non-SSL environment.
https://localhost:8080/*
I'm calling the ZAP API using JMETER 2.12 and below is the response:
I'm calling the ZAP API using JMETER 2.12 and below is the response:
javax.net.ssl.SSLException: Received fatal alert: internal_error
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2033)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
at org.apache.jmeter.protocol.http.sampler.HTTPJavaImpl.sample(HTTPJavaImpl.java:481)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:74)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1141)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1130)
at org.apache.jmeter.threads.JMeterThread.process_sampler(JMeterThread.java:431)
at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:258)
at java.lang.Thread.run(Thread.java:748)
Some stuffs I've tried to fix the problem:
1. Installed Java 8 JCE
Some stuffs I've tried to fix the problem:
1. Installed Java 8 JCE
2. Enabled used of SSLv2Hello
Thank you
Thank you
Simon Bennetts
May 30, 2018, 4:14:49 AM5/30/18
to OWASP ZAP User Group
Can you have a loog at the zap.log file and see if there are any errors that look relevant in it?
Cheers,
Simon
Vincent John Ramos
May 30, 2018, 4:27:17 AM5/30/18
to OWASP ZAP User Group
I only get 1 line of log when I call the API
2018-05-30 16:25:29,142 [ZAP-ProxyThread-2] WARN SSLConnector - No domain extracted from SSL/TLS handshake session.
2018-05-30 16:25:29,142 [ZAP-ProxyThread-2] WARN SSLConnector - No domain extracted from SSL/TLS handshake session.
Simon Bennetts
May 30, 2018, 6:56:56 AM5/30/18
to OWASP ZAP User Group
Thats logged here: https://github.com/zaproxy/zaproxy/blob/master/src/org/parosproxy/paros/network/SSLConnector.java#L676
It sounds like JMeter is not specifying the SNI hostname.
Possibly related to this issue: https://octoperf.com/blog/2017/12/07/fix-jmeter-sni-issue/ ?
Vincent John Ramos
May 30, 2018, 10:29:38 PM5/30/18
to OWASP ZAP User Group
I disabled the SNI using JSR223 sampler and JVM but it didn't work.
I forgot to mention that when I call the API itself from the ZAP UI from a web browser, I don't get any response from ZAP as shown on a fiddler trace
REQUEST:
RESPONSE:
I forgot to mention that when I call the API itself from the ZAP UI from a web browser, I don't get any response from ZAP as shown on a fiddler trace
REQUEST:
GET https://localhost:8080/XML/context/view/contextList/?zapapiformat=XML&apikey=&formMethod=GET HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: localhost:8080
Connection: Keep-Alive
RESPONSE:
HTTP/1.1 504 Fiddler - Receive Failure
Date: Thu, 31 May 2018 02:28:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Cache-Control: no-cache, must-revalidate
Timestamp: 10:28:17.937
[Fiddler] ReadResponse() failed: The server did not return a complete response for this request. Server returned 0 bytes.
Vincent John Ramos
May 31, 2018, 8:23:31 PM5/31/18
to OWASP ZAP User Group
I've tested this on different machiens with HTTPS enabled and I had the same problem
Simon Bennetts
Jun 1, 2018, 4:01:02 AM6/1/18
to OWASP ZAP User Group
Have you imported the ZAP certificate into your browser?
Are there any other errors in the zap.log file when you try to access the ZAP from the browser?Cheers,
Simon
Vincent John Ramos
Jun 4, 2018, 4:53:13 AM6/4/18
to OWASP ZAP User Group
Hello,
I've solved the problem with ZAP from the browser by disabling the API key usage.
The problem now is with JMETER. I tihnk it has to be setup to run on SSL configuration.
Thanks for the help
I've solved the problem with ZAP from the browser by disabling the API key usage.
The problem now is with JMETER. I tihnk it has to be setup to run on SSL configuration.
Thanks for the help
Simon Bennetts
Jun 5, 2018, 7:30:07 AM6/5/18
to OWASP ZAP User Group
Thanks for letting us know :)
Reply all
Reply to author
Forward
0 new messages