Manual Explore prompts for a certificate when browsing a secure site
When performing a Manual Explore or recording a login sequence using IBM Security AppScan Standard, you are prompted with a Security Alert or prompted to install or accept a certificate.
When browsing the site with a stand alone Internet Explore or FireFox, you are not prompted with any alert.
However when accessing the application through HTTPS with AppScan Manual Explore or when recording, you are getting a Security Alert box as follows:
Note: AppScan version 8.7 and newer does not longer cause warning #1.
When pressing "View Certificate" button we see certificate
You are getting this browser warning or Security Alert (prompted by an SSL error) because you are accessing the HTTPS site through the proxy (AppScan). The SSL/TLS protocol is designed to work in such way when accessing a site through a proxy.
When manually exploring a site, AppScan works as a proxy between the browser and the site. In a case when the site uses https (meaning that the site provides a certificate to the user when he tries to connect to the site, and all the communications are encrypted using keys from that certificate), AppScan has to become a "man in the middle" between the site and the browser in order to be able to analyze and record the traffic, especially the responses from the application.
SSL/TLS is designed to prevent AppScan to mimic this behavior, and it does not really allow AppScan to become a "man in the middle". Then this is why you get this warning dialog from your browser, prompted by SSL/TLS.
The communication is performed as follows:
- The HTTPS communication between AppScan and the site is using the site's certificate (the site uses a certificate signed by a Certificate Authority (CA) created specifically for the site).
- The HTTPS communication between AppScan and the browser is using AppScan's certificate (AppScan decrypts the data from the site for analysis and re-encrypts it for the browser using the AppScan certificate.)
- The Manual Explore browser receives HTTPS data and runs the following tests:
- Checks if the certificate is signed by a trusted CA
- Checks if the certificate dates are valid
- Checks if the URL of the site matches the one in the certificate
The checks #1 and #3 are failing, since AppScan is using it's own certificate to encrypt the data between the browser and AppScan.
Resolving The Problem
This is occurring because of the way the SSL/TLS protocol is designed. There is no resolution.
However, if you are scanning only a specific site, and you would like to avoid this warning, you can replace the AppScan certificate file and private key file (cert.pem and privkey.pem) with a real certificate files:
<AppScan Standard installation>\cert.pem
<AppScan Standard installation>\privkey.pem
More support for:
IBM Security AppScan Standard
Software version: 8.0, 8.5, 18.104.22.168, 22.214.171.124, 126.96.36.199, 8.7, 188.8.131.52, 8.8, 9.0, 184.108.40.206, 9.0.1
Operating system(s): Windows
Software edition: Express, Standard
Reference #: 1302711
Modified date: 19 September 2018