ZAP and HTTPS certificates
3,561 views
Skip to first unread message
ne...@halloleo.hailmail.net
Feb 20, 2014, 2:47:15 AM2/20/14
to zaprox...@googlegroups.com
Hi there
I managed to set up ZAP on my machine as an intermediate proxy locally "hiding" the NTLM authentication the corporate upstream proxy needs.
This works perfectly for HTTP requests. For HTTPS however many client applications (like Dropbox or Evernote) complain that certificates are not valid. How can I make ZAP transparently handle certificate handshakes between the end points?
Many thanks, Leo
I managed to set up ZAP on my machine as an intermediate proxy locally "hiding" the NTLM authentication the corporate upstream proxy needs.
This works perfectly for HTTP requests. For HTTPS however many client applications (like Dropbox or Evernote) complain that certificates are not valid. How can I make ZAP transparently handle certificate handshakes between the end points?
Many thanks, Leo
Simon Bennetts
Feb 20, 2014, 3:46:45 AM2/20/14
to zaprox...@googlegroups.com
ZAP automatically generates a root CA certificate that is unique to you.
You need to import this certificate into your browser as a trusted CA certificate.
There is more information in the help included with ZAP, which is also available online: http://code.google.com/p/zaproxy/wiki/HelpUiDialogsOptionsDynsslcert
Note that if you use 'Plug-n-Hack' to configure Firefox then this is all handled for you automatically.
Let us know if you have any problems with this.
Simon
You need to import this certificate into your browser as a trusted CA certificate.
There is more information in the help included with ZAP, which is also available online: http://code.google.com/p/zaproxy/wiki/HelpUiDialogsOptionsDynsslcert
Note that if you use 'Plug-n-Hack' to configure Firefox then this is all handled for you automatically.
Let us know if you have any problems with this.
Simon
ne...@halloleo.hailmail.net
Feb 20, 2014, 7:17:54 PM2/20/14
to zaprox...@googlegroups.com
Hi Simon
Great to get your advice! :-)
Two points:
(1) IE config
I have installed the ZAP certificate in the "Trusted Root Certification Authorities" store. See attached screenshot. Additionally, of course, I pointed IE's (= the system's) proxy for HTTP and HTTPS to my local ZAP proxy (127.0.0.1:8080).
I on HTTPS requests I get in IE now the warning page "There is a problem with this website's security certificate". Why that?
(2) ZAP SSL decryption
I read the background info to certificates in ZAP's help and it states that ZAP transparently decrypts SSL connections - I don't need this! My final goal is to use ZAP just to pass all requests to the upstream proxy and do the NTLM authentication on the way.
I need the HTTPS functionality for applications like Dropbox which expect a secure connection. - So, is there a way to tell ZAP not to decrypt but pass all requests with their certificates through?
Many thanks, Leo
Great to get your advice! :-)
Two points:
(1) IE config
I have installed the ZAP certificate in the "Trusted Root Certification Authorities" store. See attached screenshot. Additionally, of course, I pointed IE's (= the system's) proxy for HTTP and HTTPS to my local ZAP proxy (127.0.0.1:8080).
I on HTTPS requests I get in IE now the warning page "There is a problem with this website's security certificate". Why that?
(2) ZAP SSL decryption
I read the background info to certificates in ZAP's help and it states that ZAP transparently decrypts SSL connections - I don't need this! My final goal is to use ZAP just to pass all requests to the upstream proxy and do the NTLM authentication on the way.
I need the HTTPS functionality for applications like Dropbox which expect a secure connection. - So, is there a way to tell ZAP not to decrypt but pass all requests with their certificates through?
Many thanks, Leo
Simon Bennetts
Feb 24, 2014, 6:10:50 AM2/24/14
to zaprox...@googlegroups.com
What happens if you visit a site like https://www.google.com ?
How did you generate your sites certificate?
There are some open bugs with ZAP handling certain types of certs.
Right now we dont have an option to pass through HTTPS traffic transparently - theres an open issue for this: http://code.google.com/p/zaproxy/issues/detail?id=688
I'll try and look at this before 2.3, but I've got a lot to bo :/
Anyone else fancy looking at it?
Cheers,
Simon
How did you generate your sites certificate?
There are some open bugs with ZAP handling certain types of certs.
Right now we dont have an option to pass through HTTPS traffic transparently - theres an open issue for this: http://code.google.com/p/zaproxy/issues/detail?id=688
I'll try and look at this before 2.3, but I've got a lot to bo :/
Anyone else fancy looking at it?
Cheers,
Simon
ne...@halloleo.hailmail.net
Feb 25, 2014, 12:21:58 AM2/25/14
to zaprox...@googlegroups.com
When I load https://www.google.com in a browser whose proxy setting point to my local ZAP, I get the google page. However when I use wget (without the option "check_certificate=off") to retrieve https://www.google.com through my local ZAP, then I get the following output:
--2014-02-25 16:07:42-- https://www.google.com/
Connecting to 127.0.0.1:8080... connected.
ERROR: The certificate of `www.google.com' is not trusted.
ERROR: The certificate of `www.google.com' hasn't got a known issuer.
The clients I eventually want to use are Dropbox and Evernote - and I cannot add the ZAP certificate to their certificate store (as I can with a browser), so I need to rely on the proxy to pass through the original certificates.
So it's great news that at some stage this might be possible! :-)))
Thanks, Leo
--2014-02-25 16:07:42-- https://www.google.com/
Connecting to 127.0.0.1:8080... connected.
ERROR: The certificate of `www.google.com' is not trusted.
ERROR: The certificate of `www.google.com' hasn't got a known issuer.
The clients I eventually want to use are Dropbox and Evernote - and I cannot add the ZAP certificate to their certificate store (as I can with a browser), so I need to rely on the proxy to pass through the original certificates.
So it's great news that at some stage this might be possible! :-)))
Thanks, Leo
Simon Bennetts
Feb 26, 2014, 9:32:16 AM2/26/14
to zaprox...@googlegroups.com
A few other people have had problems with this as well.
I dont think I'm going to have time to look at this anytime soon so I've put out a request on the ZAP dev group to see if anyone else will step up: https://groups.google.com/d/msg/zaproxy-develop/jvJyGc_E5lc/77Tub1rTXUEJ
Cheers,
Simon
I dont think I'm going to have time to look at this anytime soon so I've put out a request on the ZAP dev group to see if anyone else will step up: https://groups.google.com/d/msg/zaproxy-develop/jvJyGc_E5lc/77Tub1rTXUEJ
Cheers,
Simon
kingt...@gmail.com
Feb 26, 2014, 10:55:04 AM2/26/14
to zaprox...@googlegroups.com
If you're not using ZAP for any inspection (i.e.: you just want to pass encrypted traffic) then why use ZAP just for the NTLM auth?
You might be able to accomplish what you need with Fiddler:
http://blogs.msdn.com/b/fiddler/archive/2011/09/04/fiddler-http-401-authentication-workaround-to-support-channel-binding-tokens-removing-endless-prompts.aspx
http://blog.opensecurityresearch.com/2012/03/fiddler-and-ntlm-authentication.html
Or DANTE (SOCKS server http://www.inet.no/dante/), maybe Squid (http://www.squid-cache.org/).
You might be able to accomplish what you need with Fiddler:
http://blogs.msdn.com/b/fiddler/archive/2011/09/04/fiddler-http-401-authentication-workaround-to-support-channel-binding-tokens-removing-endless-prompts.aspx
http://blog.opensecurityresearch.com/2012/03/fiddler-and-ntlm-authentication.html
Or DANTE (SOCKS server http://www.inet.no/dante/), maybe Squid (http://www.squid-cache.org/).
ne...@halloleo.hailmail.net
Feb 26, 2014, 8:06:10 PM2/26/14
to zaprox...@googlegroups.com
Thanks for the suggestion, but for firewall reasons I can only use proxies running in a JVM.
Reply all
Reply to author
Forward
0 new messages