PKCS11
139 views
Skip to first unread message
Brett Novak
Jul 15, 2015, 7:15:26 PM7/15/15
to zaprox...@googlegroups.com
Hello,
I've been attempting to use Zap with a smart card and am having issues with the PKCS11 module. Zap is able to read and process my certificate, and I'm able to set it active in the keystore. However, when attempting to access any site that enforces smart card authentication, I receive the following error:
ZAP Error [javax.net.ssl.SSLHandshakeException]: Error signing certificate verify
I am unfamiliar with this error or what the cause might be, and there are no additional details in the console output, so any help in resolving the issue is much appreciated. I'm running this on a Windows x86 box with ActivClient and Java 7.
Brett
kingthorin+owaspzap
Jul 16, 2015, 9:04:14 AM7/16/15
to zaprox...@googlegroups.com
Are you able to make the connection when only using your Browser (on the same workstation)?
kingthorin+owaspzap
Jul 16, 2015, 9:50:45 AM7/16/15
to zaprox...@googlegroups.com
You might want to checkout:
https://github.com/zaproxy/zaproxy/wiki/FAQsslHandshake
In the past I've also had to implement the GPO change outlined here on some systems in order to get systems without external connectivity behaving properly:
https://support.microsoft.com/en-us/kb/2677070?wa=wsignin1.0
https://github.com/zaproxy/zaproxy/wiki/FAQsslHandshake
In the past I've also had to implement the GPO change outlined here on some systems in order to get systems without external connectivity behaving properly:
https://support.microsoft.com/en-us/kb/2677070?wa=wsignin1.0
Brett Novak
Jul 16, 2015, 10:58:28 AM7/16/15
to zaprox...@googlegroups.com
Thanks for the feedback. No luck though with the suggested recommendations. The error is still the same with it being, "ZAP Error [javax.net.ssl.SSLHandshakeException]: Error signing certificate verify". I am able to successfully access the requested sites without the Zap proxy and only have issues when the proxy is in use.
thc...@gmail.com
Jul 16, 2015, 11:19:32 AM7/16/15
to zaprox...@googlegroups.com
Hi.
Which ZAP version are you using?
Would you mind checking the log file to see if there's any error? (file
zap.log located in ZAP's default directory or the directory manually
specified [1]).
[1] https://github.com/zaproxy/zaproxy/wiki/FAQconfig
Best regards.
On 16/07/15 15:58, Brett Novak wrote:
> Thanks for the feedback. No luck though with the suggested
> recommendations. The error is still the same with it being, "ZAP Error
> [javax.net.ssl.SSLHandshakeException]: Error signing certificate
> verify". I am able to successfully access the requested sites without
> the Zap proxy and only have issues when the proxy is in use.
>
>
>
>
> On Thursday, July 16, 2015 at 9:50:45 AM UTC-4, kingthorin+owaspzap wrote:
>
> You might want to checkout:
> https://github.com/zaproxy/zaproxy/wiki/FAQsslHandshake
> <https://code.google.com/p/zaproxy/wiki/FAQsslHandshake>
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Which ZAP version are you using?
Would you mind checking the log file to see if there's any error? (file
zap.log located in ZAP's default directory or the directory manually
specified [1]).
[1] https://github.com/zaproxy/zaproxy/wiki/FAQconfig
Best regards.
On 16/07/15 15:58, Brett Novak wrote:
> Thanks for the feedback. No luck though with the suggested
> recommendations. The error is still the same with it being, "ZAP Error
> [javax.net.ssl.SSLHandshakeException]: Error signing certificate
> verify". I am able to successfully access the requested sites without
> the Zap proxy and only have issues when the proxy is in use.
>
>
>
>
> On Thursday, July 16, 2015 at 9:50:45 AM UTC-4, kingthorin+owaspzap wrote:
>
> You might want to checkout:
> https://github.com/zaproxy/zaproxy/wiki/FAQsslHandshake
>
> In the past I've also had to implement the GPO change outlined here
> on some systems in order to get systems without external
> connectivity behaving properly:
> https://support.microsoft.com/en-us/kb/2677070?wa=wsignin1.0
>
>
> <https://code.google.com/p/zaproxy/wiki/FAQsslHandshake>
> In the past I've also had to implement the GPO change outlined here
> on some systems in order to get systems without external
> connectivity behaving properly:
> https://support.microsoft.com/en-us/kb/2677070?wa=wsignin1.0
>
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Brett Novak
Jul 17, 2015, 3:47:51 PM7/17/15
to zaprox...@googlegroups.com
All,
I was able to get PKCS11 to work with different smart card middleware. For some reason, the new ActivClient module has been failing with no indication of why (no stack trace errors in the log or elsewhere), but the p11-capi binaries were successful.
Thanks for the responses and follow-ups.
thc...@gmail.com
Jul 20, 2015, 2:03:09 AM7/20/15
to zaprox...@googlegroups.com
Hi.
Great, thanks for lettings us know.
In following releases (e.g. weekly) the stack trace will be shown along
the error in case you still want to provide the stack trace.
Best regards.
Great, thanks for lettings us know.
In following releases (e.g. weekly) the stack trace will be shown along
the error in case you still want to provide the stack trace.
Best regards.
Reply all
Reply to author
Forward
0 new messages