View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0003019Kali LinuxKali Package Bugpublic2016-01-25 17:432016-01-26 15:58
Reporterpsiinon Assigned Tosbrun  
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.0 
Fixed in Version2016.1 
Summary0003019: Unable to proxy https traffic through OWASP ZAP 2.4.3
Description

On start up ZAP reports an error and fails to create a dynamic SSL certificate.
This means that its not possible to proxy https traffic through ZAP :(
It looks like its the same as this issue, which was fixed in the ZAP build route some time ago (will before 2.4.3): https://github.com/zaproxy/zaproxy/issues/948
We're doing some more digging to find out exactly whats causing the problem, but we dont see it in ZAP 2.4.3 except when using the kali version.

Steps To Reproduce

Start ZAP.
Try to proxy https traffic through ZAP, is will fail.
Look in the zap.log file - there will probably be an exception like the one reported in https://github.com/zaproxy/zaproxy/issues/948
The ZAP Dynamic SSL Certificates option page will not be present in the ZAP GUI.

Activities

thc202

thc202

2016-01-25 19:03

reporter   ~0004605

Last edited: 2016-01-25 19:05

The issue is caused by the changes done to the libraries (in "lib" dir), more specifically to the signed libraries "bcpkix-jdk15on-152.jar" and "bcprov-jdk15on-152.jar".

Package:
zaproxy_2.4.3-0kali1_all.deb

$ uname -a
Linux kali 4.3.0-kali1-amd64 0000001 SMP Debian 4.3.3-5kali4 (2016-01-13) x86_64 GNU/Linux

$ lsb_release -rd
Description: Kali GNU/Linux Rolling
Release: Kali-rolling
rhertzog

rhertzog

2016-01-25 19:39

administrator   ~0004606

Looks like another case of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807669

Pre-compiled jar should be avoided... it would be better if we could build the jar from sources or use properly packaged dependencies. In the mean time we will update the package to disable dh_strip_nondeterminism.
psiinon

psiinon

2016-01-25 20:25

reporter   ~0004607

That's the first we've heard about any requirements like that ;)
We maintain our own build route, and have not been consulted at all regarding the way you build ZAP.
That's fine, but we then cant make any sort of guarantees that you wont hit problems like this.
Can you point at us the relevant steps you use to build ZAP?
sbrun

sbrun

2016-01-26 14:02

manager   ~0004611

new version 2.4.3-0kali2 fixes this
rhertzog

rhertzog

2016-01-26 15:58

administrator   ~0004615

psiinon, in fact we currently package the binary jars that you provide and it's one of the automatic Debian tools that screwed the jar you provided.

If you know a bit about Debian packaging, our git repository is here:
http://git.kali.org/gitweb/?p=packages/zaproxy.git

In the future, we will see whether we manage to build zaproxy from sources instead. We have not investigated this yet.

Issue History

Date Modified Username Field Change
2016-01-25 17:43 psiinon New Issue
2016-01-25 19:03 thc202 Note Added: 0004605
2016-01-25 19:05 thc202 Note Edited: 0004605
2016-01-25 19:32 rhertzog Assigned To => sbrun
2016-01-25 19:32 rhertzog Status new => assigned
2016-01-25 19:39 rhertzog Note Added: 0004606
2016-01-25 20:25 psiinon Note Added: 0004607
2016-01-26 14:02 sbrun Note Added: 0004611
2016-01-26 14:02 sbrun Status assigned => resolved
2016-01-26 14:02 sbrun Resolution open => fixed
2016-01-26 14:02 sbrun Fixed in Version => 2016.1
2016-01-26 15:58 rhertzog Note Added: 0004615