Properly generate cert for ZAP API and Callback when accessed with IP address

[denniskniep]

When I use https within the API or Callback Url I get an error:

Firefox: Secure Connection Failed (SSL_ERROR_INTERNAL_ERROR_ALERT)
Chrome: This site can’t provide a secure connection (ERR_SSL_PROTOCOL_ERROR)

[thc202]

With 2.6.0 (or dev/weekly)? While proxying or accessing directly? Java version?

[denniskniep]

Currently working with a dev build. I am accessing the Url without proxying. (If I am proxying there is no problem with the API). I think Callback is never through proxy right?
My Java Version is 1.8

[thc202]

Which revision/commit did you use to build? If it's working while proxying it might be a problem with SNI. (Yeah, for the callback it does not need to proxy just wanted to know if it was working for the API.)

No errors in the log when that happens?

[denniskniep]

I tried it with the latest commit 8017bc4

The Log output was:
[ZAP-ProxyThread-34] WARN SSLConnector - No domain extracted from SSL/TLS handshake session.

[thc202]

Yeah, that's a problem with SNI. Which version of Firefox are you using? And what's the "update" Java version?

[denniskniep]

Firefox 56
Java 1.8.0_131

[denniskniep]

The ExtendedSSLSession contains no SNIServerName
I accessed the API and the CallbackEndpoint with an Ip-Address, not with an DNS hostname.

The "Server Name Indication" is defined in the RFC6066.

According to the RFC there are no Ip-Addresses allowed:

Currently, the only server names supported are DNS hostnames;
Literal IPv4 and IPv6 addresses are not permitted in "HostName".

Maybe a workaround is to issue the certificate with all in Zap used Ip-Addresses and HostNames into the SubjectAlternativeName.

[thc202]

Right, I assumed you were using the hostname not the IP address.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.