Topic
  • 7 replies
  • Latest Post - ‏2014-06-20T13:22:20Z by warrenm1
rajatshah
rajatshah
4 Posts

Pinned topic AppScan certificate error

‏2014-06-13T00:44:28Z |

While setting up a new scan, I'm using an external browser to record the login session.  When the page opens I get a certificate error saying that the certificate is not issued to the domain I'm looking for.

The certificate is issued to AppScan by AppScan - the browser tries to use the same self-signed certificate independent of the browser I use or the site I try to access.  Any suggestions on removing this problem would be great, thanks!

  • MarekStepien
    MarekStepien
    147 Posts

    Re: AppScan certificate error

    ‏2014-06-13T00:54:21Z  

    Can you upload a screenshot of the "certificate error"?

  • rajatshah
    rajatshah
    4 Posts

    Re: AppScan certificate error

    ‏2014-06-13T01:18:34Z  

    Can you upload a screenshot of the "certificate error"?

    Please see attached screenshot

  • MarekStepien
    MarekStepien
    147 Posts

    Re: AppScan certificate error

    ‏2014-06-18T14:32:26Z  


    You are getting this browser warning (prompted by an SSL error) because you are accessing the HTTPS site through the proxy (AppScan). The SSL/TLS  protocol is designed to work in such way when accessing a site through a proxy.

    When you explore the site, AppScan works as a proxy between the browser and the site. In a case when the site uses the https channel (meaning that the site provides a certificate to the user when he tries to connect to the site, and all the communications are encrypted using keys from that certificate), AppScan has to become a "man in the middle" between the site and the browser in order to be able to record and analyze the traffic, especially the responses from the application.

    SSL/TLS is designed to prevent AppScan to mimic this behavior, and it is designed to not really allow AppScan to become a "man in the middle".  Then this is why you get this warning dialog from your browser, prompted by SSL/TLS.

    The communication is performed as follows:

    1. The HTTPS communication between AppScan and the site is using the site's certificate (the site uses a certificate signed by a Certificate Authority (CA) created specifically for the site).
       
    2. The HTTPS communication between AppScan and the your browser is using AppScan's certificate (AppScan decrypts the data from the site for analysis and re-encrypts it for the browser using the AppScan certificate.)
       
    3. The browser receives HTTPS data and checks if the URL of the site matches the one in the certificate, and it doesn't, and it shows you the warning.

     

    In order to continue the recording, you need to press the  Proceed anyway  button in the certificate warning dialog.
     

     

    Updated on 2014-06-18T14:32:51Z at 2014-06-18T14:32:51Z by MarekStepien
  • rajatshah
    rajatshah
    4 Posts

    Re: AppScan certificate error

    ‏2014-06-19T01:05:11Z  


    You are getting this browser warning (prompted by an SSL error) because you are accessing the HTTPS site through the proxy (AppScan). The SSL/TLS  protocol is designed to work in such way when accessing a site through a proxy.

    When you explore the site, AppScan works as a proxy between the browser and the site. In a case when the site uses the https channel (meaning that the site provides a certificate to the user when he tries to connect to the site, and all the communications are encrypted using keys from that certificate), AppScan has to become a "man in the middle" between the site and the browser in order to be able to record and analyze the traffic, especially the responses from the application.

    SSL/TLS is designed to prevent AppScan to mimic this behavior, and it is designed to not really allow AppScan to become a "man in the middle".  Then this is why you get this warning dialog from your browser, prompted by SSL/TLS.

    The communication is performed as follows:

    1. The HTTPS communication between AppScan and the site is using the site's certificate (the site uses a certificate signed by a Certificate Authority (CA) created specifically for the site).
       
    2. The HTTPS communication between AppScan and the your browser is using AppScan's certificate (AppScan decrypts the data from the site for analysis and re-encrypts it for the browser using the AppScan certificate.)
       
    3. The browser receives HTTPS data and checks if the URL of the site matches the one in the certificate, and it doesn't, and it shows you the warning.

     

    In order to continue the recording, you need to press the  Proceed anyway  button in the certificate warning dialog.
     

     

    Ok, great!  I wanted to make sure this was standard functionality.  Thanks for the detailed explanation, appreciate your help.

  • warrenm1
    warrenm1
    224 Posts

    Re: AppScan certificate error

    ‏2014-06-19T13:07:48Z  
    • rajatshah
    • ‏2014-06-19T01:05:11Z

    Ok, great!  I wanted to make sure this was standard functionality.  Thanks for the detailed explanation, appreciate your help.

    The attached AppScan Extension will add appscans cert to your trusted root an minimize these sorts of warnings.  Load the zip in AppScan 8.8/9xx under Tools/Extensions/Extension Manager

     

    Regards,

    Attachments

  • rajatshah
    rajatshah
    4 Posts

    Re: AppScan certificate error

    ‏2014-06-20T00:54:55Z  
    • warrenm1
    • ‏2014-06-19T13:07:48Z

    The attached AppScan Extension will add appscans cert to your trusted root an minimize these sorts of warnings.  Load the zip in AppScan 8.8/9xx under Tools/Extensions/Extension Manager

     

    Regards,

    Thanks for providing the extension - unfortunately I'm running AppScan 8.5 so I had some compatibility issues with the installation. 

    Let me know if you have an extension for the earlier versions.

    Regards,
    Rajat

  • warrenm1
    warrenm1
    224 Posts

    Re: AppScan certificate error

    ‏2014-06-20T13:22:20Z  
    • rajatshah
    • ‏2014-06-20T00:54:55Z

    Thanks for providing the extension - unfortunately I'm running AppScan 8.5 so I had some compatibility issues with the installation. 

    Let me know if you have an extension for the earlier versions.

    Regards,
    Rajat

    Sorry its only for later versions, you should consider upgrading anyways, on 8.5 your security rules will be a few years out of date.

     

    Regards,