Unable to use Arachni Proxy with HTTPS sites
I am using Arachni 1.4 with the proxy plugin.
.\arachni.bat https://target-url --scope-page-limit=1
--plugin=proxy --checks -
In my Ubuntu 14.04 LTS environment, with Firefox 44.0.2, I have imported the Arachni certificate into the Authorites tab of the Certificate Manager, and everything works as expected. I am able to visit HTTPS sites.
In my Windows Server 2012 with Firefox 43.0.1 I performed the same steps as in my Linux environment, but when I visit HTTPS sites I get a message in the browser stating:
Secure Connection Failed
The connection to the server was reset while the page was loading.
- The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
- Please contact the website owners to inform them of this problem.
I did the same import steps in both environments, but one works and the other does not. Please assist to identify the issue here.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 25 Feb, 2016 11:29 PM
I'm not aware of any such issue, I'll need to investigate further.
It's either something platform specific or a difference in OpenSSL versions.
I'll keep you posted on my progress.
Cheers
2 Posted by Frank on 26 Feb, 2016 04:23 PM
Additional info.
Succesful on Mac OS X 10.10.5
Failed on Windows 8.1
3 Posted by Frank on 02 Mar, 2016 02:19 AM
Is there an update on this issue?
Support Staff 4 Posted by Tasos Laskos on 02 Mar, 2016 09:01 AM
Unfortunately not yet.
Support Staff 5 Posted by Tasos Laskos on 03 Mar, 2016 03:08 PM
Still looking into it, not sure what's going on.
Support Staff 6 Posted by Tasos Laskos on 03 Mar, 2016 04:55 PM
Got it, you can set the
bind_address
option to127.0.0.1
instead of the default0.0.0.0
to work around the issue.For future versions I'll make it that default.
Let me know how it works.
7 Posted by Frank on 06 Mar, 2016 08:17 PM
I added the
bind_address
option to the proxy, and the message changed from 'Secure Connection Failed' to one where "This Connection is Untrusted". Even after selecting "Add Exception" and "Confirm Security Exception", it continued the same process over and over.The Technical Detail was:
Error code: sec_error_cert_signature_algorithm_disabled
After looking at the Arachni certificate I discovered that the signature algorithm is:
PKCS #1 SHA-1 With RSA Encryption
I upgraded my browser to a version of Firefox that re-enabled support for SHA-1, and everything is working now.
Thanks. This can be closed now.
BTW - I recommend you upgrade your certificate to SHA-2.
Support Staff 8 Posted by Tasos Laskos on 06 Mar, 2016 08:19 PM
Yeah I was planning on doing that after I started looking into your issue.
Cheers
Tasos Laskos closed this discussion on 06 Mar, 2016 08:19 PM.