OWASP ZAP - SSLHandshakeException: Received fatal alert: handshake_failure

Question

Good Day,

Issue is regarding on SSLHandshakeException: Fatal Alert/Access Denied, when directing to a page using OWASP ZAP proxy.

Technologies Used:

• OWASP ZAP 2.8

• Mozilla FireFox 73.0

• Java Version: 1.8

• AWS Hosted Website.

I am getting the the above mentioned error when accessing a specific application hosted from AWS Cloudfront Domain. Its domain is formatted like this. https://sample.example.net/ *Sample Format - can't disclose the initial application *. I am using OWASP ZAP Proxy and configured its

• Local proxies

• Imported the CA Root Cert on the browser.

• Checked SSL3, TLS 1, TLS 1.1, TLS 1.2 Under the connections.

• Enabled unsafe SSL/TLS renegotiation.

When using my normal settings, I can access the said application but when using the proxy, just this single application is giving me this error - can perfectly access the other sites. Thank You in Advance !

Answer 1

We have a FAQ for that: https://www.zaproxy.org/faq/how-to-connect-to-an-https-site-that-reports-a-handshake-failure/ summary here:

First of all try checking the 'Enable unsafe SSL/TLS renegotiation' checkbox in the Certificate Options screen and trying again.

Second check if you've enabled SSLv2Hello in the outbound connection options. If so, disable SSLv2Hello and reload the content to see if the issue is resolved.

If this doesn't help and an HTTPS site reports a handshake failure then try installing the 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files':

• Java 8: https://www.oracle.com/tec.network/java/javase/downloads/jce8-download-2133166.html

• Java 9: Should not require the JCE Policy Files, per JDK 9 Readme (as reviewed 20171212):

  The default JCE policy files bundled in this Java Runtime Environment allow for “unlimited” cryptographic strengths.

You will need to restart ZAP for these to take effect.