Unable to use Arachni Proxy with HTTPS sites

Frank's Avatar

Frank

25 Feb, 2016 07:22 PM

I am using Arachni 1.4 with the proxy plugin.

.\arachni.bat https://target-url --scope-page-limit=1 --plugin=proxy --checks -

In my Ubuntu 14.04 LTS environment, with Firefox 44.0.2, I have imported the Arachni certificate into the Authorites tab of the Certificate Manager, and everything works as expected. I am able to visit HTTPS sites.

In my Windows Server 2012 with Firefox 43.0.1 I performed the same steps as in my Linux environment, but when I visit HTTPS sites I get a message in the browser stating:

Secure Connection Failed

The connection to the server was reset while the page was loading.

  • The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  • Please contact the website owners to inform them of this problem.

I did the same import steps in both environments, but one works and the other does not. Please assist to identify the issue here.

  1. Support Staff 1 Posted by Tasos Laskos on 25 Feb, 2016 11:29 PM

    Tasos Laskos's Avatar

    I'm not aware of any such issue, I'll need to investigate further.
    It's either something platform specific or a difference in OpenSSL versions.

    I'll keep you posted on my progress.

    Cheers

  2. 2 Posted by Frank on 26 Feb, 2016 04:23 PM

    Frank's Avatar

    Additional info.

    Succesful on Mac OS X 10.10.5
    Failed on Windows 8.1

  3. 3 Posted by Frank on 02 Mar, 2016 02:19 AM

    Frank's Avatar

    Is there an update on this issue?

  4. Support Staff 4 Posted by Tasos Laskos on 02 Mar, 2016 09:01 AM

    Tasos Laskos's Avatar

    Unfortunately not yet.

  5. Support Staff 5 Posted by Tasos Laskos on 03 Mar, 2016 03:08 PM

    Tasos Laskos's Avatar

    Still looking into it, not sure what's going on.

  6. Support Staff 6 Posted by Tasos Laskos on 03 Mar, 2016 04:55 PM

    Tasos Laskos's Avatar

    Got it, you can set the bind_address option to 127.0.0.1 instead of the default 0.0.0.0 to work around the issue.
    For future versions I'll make it that default.

    Let me know how it works.

  7. 7 Posted by Frank on 06 Mar, 2016 08:17 PM

    Frank's Avatar

    I added the bind_address option to the proxy, and the message changed from 'Secure Connection Failed' to one where "This Connection is Untrusted". Even after selecting "Add Exception" and "Confirm Security Exception", it continued the same process over and over.

    The Technical Detail was:
    Error code: sec_error_cert_signature_algorithm_disabled

    After looking at the Arachni certificate I discovered that the signature algorithm is:
    PKCS #1 SHA-1 With RSA Encryption

    I upgraded my browser to a version of Firefox that re-enabled support for SHA-1, and everything is working now.

    Thanks. This can be closed now.

    BTW - I recommend you upgrade your certificate to SHA-2.

  8. Support Staff 8 Posted by Tasos Laskos on 06 Mar, 2016 08:19 PM

    Tasos Laskos's Avatar

    Yeah I was planning on doing that after I started looking into your issue.

    Cheers

  9. Tasos Laskos closed this discussion on 06 Mar, 2016 08:19 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac