javax.net.ssl.SSLException - bad_record_mac

[GoogleCodeExporter]

What steps will reproduce the problem?
1.Owasp zap 2.1.0 on windows 2008
2.added the owasp certificate to the trusted root certificate auth
3.unable to open only a particular website

What is the expected output? What do you see instead?
The website's login page should have been displayed

What version of the product are you using? On what operating system?
already mentioned

Please provide any additional information below.
Everything else works. I am able to view, browse, scan other websites. I am 
also able to see https://facebook.com and https://google.com without any 
warning. Thus, man in the middle seems to be working. However, this particular 
private website that i have shows the error displayed in the attached text 
file. I would appreciate any help. 

Original issue reported on code.google.com by dewansid...@gmail.com on 27 Jun 2013 at 9:16

Attachments:

• [owasp zap debug.rtf](https://storage.googleapis.com/google-code-attachments/zaproxy/issue-705/comment-0/owasp zap debug.rtf)

[GoogleCodeExporter]

Just to update, i was trying other proxies like watobo and the website i am 
trying to open works perfectly fine in watobo. However, i would really like to 
make it work in Owasp ZAP and try understand it better.

Original comment by dewansid...@gmail.com on 28 Jun 2013 at 1:31

[GoogleCodeExporter]

I've found this link, which looks like it might be very relevant: 
http://yuriytkach.blogspot.co.uk/2011/10/javaxnetsslsslexception-badrecordmac.ht
ml

Towards the end of the page it recommends adding:

((SSLSocket) socket).setEnabledProtocols(new String[] { "SSLv3" });
((SSLSocket) socket).setUseClientMode(true);

It looks like we have the first of those lines in our code, but commented out:
http://code.google.com/p/zaproxy/source/browse/trunk/src/org/parosproxy/paros/ne
twork/SSLConnector.java#99

I've just created a test build with these 2 lines in - I've attached the 
zap.jar to this ticket.
Could you backup your existing zap.jar file and see if this one fixes this 
problem?
If it works then we'll probably need to define an option to enable it as it may 
break other sites.

Thanks,

Simon

Original comment by psii...@gmail.com on 9 Jul 2013 at 10:10

Attachments:

• zap.jar

[GoogleCodeExporter]

Getting similar issue with ZAP 2.3.0.1. 
Response:
HTTP/1.1 502 Bad Gateway
Content-Length: 80
Content-Type: text/plain; charset=UTF-8

ZAP Error [javax.net.ssl.SSLException]: Received fatal alert: unexpected_message

No issues in log.
On a whim tried to use zap.jar from this post without success. 

Suspect it has something to do with certificates on target web site. Imported 
them into browser (FF). Maybe into Zap as well?

Original comment by randall....@gmail.com on 22 May 2014 at 1:39

[GoogleCodeExporter]

Which JRE/JDK implementation are you using?

You can import client certificates into ZAP in "Options" > "Certificate".
Let us know if that worked (or not).

Original comment by THC...@gmail.com on 30 May 2014 at 10:19

[GoogleCodeExporter]

We need further info in order to work on this issue.

If we don't receive anything by 20140827 it will be closed.

Original comment by kingtho...@gmail.com on 14 Aug 2014 at 12:21

• Added labels: STALE-20140827

[GoogleCodeExporter]

Original comment by kingtho...@gmail.com on 28 Aug 2014 at 12:02

• Changed state: InsufficientEvidence

[GoogleCodeExporter]

Hi, I am also facing the same issue for Path Traversal.
ZAP version is ZAP 2.3.1 , jre1.8.0_25

Error scanning parameters for Path Traversal: Received fatal alert: 
bad_record_mac

 82356263 [ZAP-ActiveScanner-0] ERROR org.zaproxy.zap.extension.ascanrules.TestPathTraversal  - Error scanning parameters for Path Traversal: Connectio
n reset
java.net.SocketException: Connection reset
        at java.net.SocketInputStream.read(Unknown Source)
        at java.net.SocketInputStream.read(Unknown Source)
        at sun.security.ssl.InputRecord.readFully(Unknown Source)
        at sun.security.ssl.InputRecord.readV3Record(Unknown Source)
        at sun.security.ssl.InputRecord.read(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
        at sun.security.ssl.AppInputStream.read(Unknown Source)
        at java.io.BufferedInputStream.fill(Unknown Source)
        at java.io.BufferedInputStream.read(Unknown Source)
        at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
        at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
        at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116)
        at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:141
3)
        at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1973)
        at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1735)
        at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1098)
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
        at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
        at org.parosproxy.paros.network.HttpSender.executeMethod(Unknown Source)
        at org.parosproxy.paros.network.HttpSender.runMethod(Unknown Source)
        at org.parosproxy.paros.network.HttpSender.send(Unknown Source)
        at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source)
        at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)
        at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
        at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
        at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(Unknown Source)
        at org.zaproxy.zap.extension.ascanrules.TestPathTraversal.scan(Unknown Source)
        at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
        at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scanVariant(Unknown Source)
        at org.parosproxy.paros.core.scanner.AbstractAppParamPlugin.scan(Unknown Source)
        at org.parosproxy.paros.core.scanner.AbstractPlugin.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)

Original comment by rajanban...@gmail.com on 7 Jan 2015 at 11:28