search

denimgroup / threadfix

ThreadFix is a software vulnerability management platform. This GitHub site is far out of date. Please go to www.threadfix.it for up-to-date information.
339 stars 127 forks source link

Can't access GUI with MacOS/Safari 7.0.6 #573

Open MirkoDziadzka opened 9 years ago

MirkoDziadzka commented 9 years ago

This is probably either a Tomcat and/or a MacOS problem but it affects the default distribution.

When using the 2.1M2 release.

$ sha1sum ThreadFix_2.1M2.zip 
f0bd9ca356c59e8978959915d4f54ab2d8f4ea37  ThreadFix_2.1M2.zip

After doing a normal install and start, I have problems to access the GUI and the REST interface with some clients.

not working

command line clients

$ curl -V
curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz
$ curl -k https://localhost:8443/threadfix
curl: (35) Unknown SSL protocol error in connection to localhost:-9824

The error message -9842 means errSSLPeerHandshakeFail = -9824, /* handshake failure */

$ /usr/local/Cellar/curl/7.37.1_1/bin/curl -V
curl 7.37.1 (x86_64-apple-darwin13.3.0) libcurl/7.37.1 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: IPv6 Largefile NTLM NTLM_WB SSL libz
$ /usr/local/Cellar/curl/7.37.1_1/bin/curl -k https://localhost:8443/threadfix
curl: (35) SSL peer handshake failed, the server most likely requires a client certificate to connect

working versions:

$ /usr/local/Cellar/curl/7.33.0/bin/curl -V
curl 7.33.0 (x86_64-apple-darwin13.3.0) libcurl/7.33.0 OpenSSL/0.9.8y zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: IPv6 Largefile NTLM NTLM_WB SSL libz

I have this problem on my local mac and we tried at least the Safari connection on another machine too.

macacollins commented 9 years ago

I think this is a result of Safari's strict certificate policies and ThreadFix's self-signed certificate. If you could add the ThreadFix certificate to your computer's list of trusted certificates that may help. Alternatively, you can generate a valid (non-self-signed) certificate yourself and use that in ThreadFix tomcat.