Outgoing proxy with authentification + SSL

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Setup an outgoing proxy with authentification
2. Try to connect to https site

What is the expected output? What do you see instead?
expected : connect to site normally
instead : get an error that proxy auth is required

What version of the product are you using? On what operating system?
1.3.3 WinXP

Please provide any additional information below.
In wireshark I can see the following :
- if I connect to a non-ssl site :
zap > proxy : get site.com 
proxy > zap : 407 auth required
zap > proxy : get site.com ntlmssp_negociate
... negociation ...
proxy > zap : 200 OK

- if I connect to ssl site :
zap > proxy : connect site.com:443
proxy > zap : 407 auth required
** stops here and ZAP sends this to the browser **

It seems that ZAP doesnt know how to handle this.

Original issue reported on code.google.com by christian.kungler on 14 Oct 2011 at 11:50

• Merged into: #729

[GoogleCodeExporter]

check  Tools -> options -> connections -> Proxy authentication.

Original comment by anant@anantshri.info on 23 Feb 2012 at 5:07

[GoogleCodeExporter]

I will take this issue.

Original comment by flowing...@gmail.com on 27 Sep 2012 at 3:43

[GoogleCodeExporter]

I have the same problem.. I am on 1.4.1 and fully updated version. I have the 
same problem:

Outgoing Proxy: SQUID with authentication
http:// works well.. No problem
https:// does not work at all. Something really wrong.. 

Original comment by armado1...@gmail.com on 14 Dec 2012 at 3:05

[GoogleCodeExporter]

What authentication scheme are you using?
Could you provide an excerpt of the log file (file zap.log located in ZAP's 
default directory [1]) when connecting to a HTTPS site?

[1] https://code.google.com/p/zaproxy/wiki/FAQconfig

Original comment by THC...@gmail.com on 14 Dec 2012 at 3:46

[GoogleCodeExporter]

I was wondering if any progress had been made on this as I am having the same 
issue where going through an outgoing proxy an http call works but https does 
not.

Thanks.

Original comment by scwor...@gmail.com on 18 Jun 2013 at 5:50

[GoogleCodeExporter]

No. What authentication scheme are you using?

Could you check if there's any error in the log file (file zap.log located in 
ZAP's default directory [1]) when connecting to a HTTPS site?

[1] https://code.google.com/p/zaproxy/wiki/FAQconfig

Original comment by THC...@gmail.com on 18 Jun 2013 at 6:24

[GoogleCodeExporter]

It is NTLM. Here are two attachments, one going at http://www.google.com and 
one at https://www.google.com. The more I look at it, the more I think it is 
configuration on my end.

Original comment by scwor...@gmail.com on 18 Jun 2013 at 8:44

Attachments:

• [zap - https.log](https://storage.googleapis.com/google-code-attachments/zaproxy/issue-201/comment-7/zap - https.log)
• [zap -http.log](https://storage.googleapis.com/google-code-attachments/zaproxy/issue-201/comment-7/zap -http.log)

[GoogleCodeExporter]

From the logs, it seems that you didn't set the proxy authentication 
credentials (under "Options" > "Connection"), is that right?

Original comment by THC...@gmail.com on 19 Jun 2013 at 5:18

[GoogleCodeExporter]

I have tried both with and without credentials. I got it to work by having the 
outgoing proxy point at a CNTLM instance, so it probably has to do with the 
NTLM authentication. If you would like, I can generate a log file making sure I 
have the credentials filled in.

Original comment by scwor...@gmail.com on 19 Jun 2013 at 8:10

[GoogleCodeExporter]

That would be helpful.

Thanks.

Original comment by THC...@gmail.com on 20 Jun 2013 at 12:44

[GoogleCodeExporter]

Now I remember why I didn't have credentials in the outgoing proxy. When I 
enter my credentials and try to access a http site (http://www.google.com) ZAP 
falls into a loop. It must be passing my user id because my ID gets suspended. 
When I try to access https://www.google.com it does not go into a loop but the 
proxy says I need to authenticate. Attached is a zip with one folder containing 
a log trying to access google (withCred-google) and one folder with log hitting 
https://www.google.com (withCred-sGoogle1).

Original comment by scwor...@gmail.com on 20 Jun 2013 at 6:28

Attachments:

• zapLog.zip

[GoogleCodeExporter]

Could you try the attached jar, to see if it fixes the issues?
Version 1.4.1 patched.
Updated the NTLM authentication code.
Added checks to avoid the infinite loops.

Original comment by THC...@gmail.com on 24 Jun 2013 at 1:44

Attachments:

• zap.jar

[GoogleCodeExporter]

That fixed it, nicely done.
Thanks.

Original comment by scwor...@gmail.com on 24 Jun 2013 at 4:21

[GoogleCodeExporter]

Thank you for giving it a try.

So, it's working for both HTTP and HTTPS when setting the authentication 
credentials in ZAP?
What about if the credentials are not set in ZAP?

Original comment by THC...@gmail.com on 25 Jun 2013 at 3:36

[GoogleCodeExporter]

Yes, it is working for both HTTP and HTTPS when setting the proxy 
authentication credentials in ZAP. If the proxy authentication credentials are 
not set, for both HTTP and HTTPS, I get a proxy connection error; which is what 
I expected. From my view point, it is working exactly as it should.

Original comment by scwor...@gmail.com on 25 Jun 2013 at 6:36

[GoogleCodeExporter]

OK. Thank you.

I'll commit the changes to trunk then.

Original comment by THC...@gmail.com on 2 Jul 2013 at 3:44

[GoogleCodeExporter]

Fixed?

Original comment by kingtho...@gmail.com on 15 May 2014 at 9:46

[GoogleCodeExporter]

Yeah, with Issue 729. Thanks!

Original comment by THC...@gmail.com on 16 May 2014 at 12:45

• Changed state: Duplicate