Re: WebInspect 10 and expired certs (269 Views)
Reply
Occasional Visitor
jokersden
Posts: 2
Registered: ‎05-16-2013
Message 1 of 3 (271 Views)

WebInspect 10 and expired certs

Does WebInspect not connect to web servers that have expired certs?  I can access via browsers after clicking through the expired cert warning, but WebInspect will not.

 

In the profiler, it says "An error has occurred during the profiling of the targeted server.  Server profiler failed to connect to the target host."

 

If I click "next" then "Scan" the Scan Log reports "Connectivity Issue, Reason:FirstRequestFailed, Server xxx.com, Error:(10054)Unable to read data from the transport connection:  An existing connection was forcibly closed by the remote host.

Please use plain text.
Occasional Visitor
jokersden
Posts: 2
Registered: ‎05-16-2013
Message 2 of 3 (269 Views)

Re: WebInspect 10 and expired certs

Also, if I run WebInspect through Burp, it works like a champ since Burp's cert hasn't expired.

Please use plain text.
Respected Contributor
HansEnders
Posts: 590
Registered: ‎07-01-2008
Message 3 of 3 (241 Views)

Re: WebInspect 10 and no connectivity on first request

Unlike a user's browser interface, WebInspect does not stop for anything like simple errors, expired certs, or insecure/secure content.  It just goes.

 

Since this is a connectivity error, have you checked the Proxy settings for your scan settings?  The default setting are to steal the proxy configuration from IE, but one detail it cannot take is any entered user credentials.  You may need to change WebInspect's Proxy to "Explicitly Configured" and fill out the necessary proxy details and credentials there.  I find that if I can get Firefox configured for the upstream network proxy, then those settings will work fine once transferred to WebInspect.  Be aware that WebInspect has two Proxy settings areas, one for Scan Settings and one for Application Settings (for updates and such).

 

One area that expired or self-signed certificates might give WebInspect trouble is when they are part of the recorded sessions in the Login Macro you may have recorded.  I generally will mark those sessions as Optional so they do not foil the macro playback, just in case they do not reappear.


-- Habeas Data
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation