View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003019||Kali Linux||[All Projects] Kali Package Bug||public||2016-01-25 17:43||2016-01-26 15:58|
|Target Version||Fixed in Version||2016.1|
|Summary||0003019: Unable to proxy https traffic through OWASP ZAP 2.4.3|
|Description||On start up ZAP reports an error and fails to create a dynamic SSL certificate.|
This means that its not possible to proxy https traffic through ZAP :(
It looks like its the same as this issue, which was fixed in the ZAP build route some time ago (will before 2.4.3): https://github.com/zaproxy/zaproxy/issues/948
We're doing some more digging to find out exactly whats causing the problem, but we dont see it in ZAP 2.4.3 _except_ when using the kali version.
|Steps To Reproduce||Start ZAP.|
Try to proxy https traffic through ZAP, is will fail.
Look in the zap.log file - there will probably be an exception like the one reported in https://github.com/zaproxy/zaproxy/issues/948
The ZAP Dynamic SSL Certificates option page will not be present in the ZAP GUI.
The issue is caused by the changes done to the libraries (in "lib" dir), more specifically to the signed libraries "bcpkix-jdk15on-152.jar" and "bcprov-jdk15on-152.jar".
$ uname -a
Linux kali 4.3.0-kali1-amd64 0000001 SMP Debian 4.3.3-5kali4 (2016-01-13) x86_64 GNU/Linux
$ lsb_release -rd
Description: Kali GNU/Linux Rolling
Looks like another case of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807669
Pre-compiled jar should be avoided... it would be better if we could build the jar from sources or use properly packaged dependencies. In the mean time we will update the package to disable dh_strip_nondeterminism.
That's the first we've heard about any requirements like that ;)
We maintain our own build route, and have not been consulted at all regarding the way you build ZAP.
That's fine, but we then cant make any sort of guarantees that you wont hit problems like this.
Can you point at us the relevant steps you use to build ZAP?
||new version 2.4.3-0kali2 fixes this|
psiinon, in fact we currently package the binary jars that you provide and it's one of the automatic Debian tools that screwed the jar you provided.
If you know a bit about Debian packaging, our git repository is here:
In the future, we will see whether we manage to build zaproxy from sources instead. We have not investigated this yet.
|2016-01-25 17:43||psiinon||New Issue|
|2016-01-25 19:03||thc202||Note Added: 0004605|
|2016-01-25 19:05||thc202||Note Edited: 0004605||View Revisions|
|2016-01-25 19:32||rhertzog||Assigned To||=> sbrun|
|2016-01-25 19:32||rhertzog||Status||new => assigned|
|2016-01-25 19:39||rhertzog||Note Added: 0004606|
|2016-01-25 20:25||psiinon||Note Added: 0004607|
|2016-01-26 14:02||sbrun||Note Added: 0004611|
|2016-01-26 14:02||sbrun||Status||assigned => resolved|
|2016-01-26 14:02||sbrun||Resolution||open => fixed|
|2016-01-26 14:02||sbrun||Fixed in Version||=> 2016.1|
|2016-01-26 15:58||rhertzog||Note Added: 0004615|