06-18-2012 12:12 PM
I've got WE 9.20.247, running on Win7. I/ve hav increasing troubles completing scans since upgrading to IE9. As of now, a site I have scanned multiple times in the past, will no longer scan. Standard Scan has never worked on this site, the workflow driven scan is usually what I've used, recording the login macro with the Web Macro Recorder and now the True Client Browser, and the Workflow macro with the Web Proxie tool. Now since the upgrade to IE9 (and the activation of the HP.AppSec.IEPlugin.BrowserHelpObject) the WebProxie no longer catches any of the IE9 communication with the target, no matter what I do with the IE9 proxie settings (either my usual proxie address, the web Proxie 127....address/port, or no proxy). The scan target is a linux server with a custom web app that redirects intital requests to an https login page and then the entire site is accessible via htttps.
The response to any of the requests made by WE or by the Web Macro Recorder is :"request for https://x.x.x.x:443/page.asp cancelled due to the following error: The connection was closed before the secure channel was established.
I've tried making an xml file with the list of URLs, and import them in as a List-Driven Scan and tried to run a crawl of the site but the crawl fails 9the "site window doesn't show any URL list) and the scan Log says: "<date> <time> Error connectivity Issue, Reason:ServerConsecutive, Server :114.x.x.x:443, Error(100)The connection was closed before the secure channel was established. :"
Any ideas what's going on?
06-26-2012 07:15 PM
I'm not using IE9, but you may want to try the following.
Use the old Event-Based Macro Recorder for your login macro instead of the TruClient Macro Recorder.
Instead of creating a workflow macro, use Step Mode. It will take the same amount of time and effort, and your likely to get better results.
Instead of changing your IE9 Proxy Settings to work with the Web Proxy tool, have the Web Proxy launch a browser for you. I think it is the 3rd icon to the right from the play button.
All the best.
07-06-2012 11:51 AM
I've tried "event-based recorder and Step mode, and have always let the web proxy tool launch the browser...still ge the same mesage " connection closed before the secure channel was established". If I don't open the web proxy, or open it and don't start it, an IE window connects and browses my site just fine, as soon as I start the proxy and launch the browser, nothing...
07-06-2012 12:15 PM
Besides installing IE 9, perhaps there were changes to your system's Group Policy and/or network proxy? The reason I say this is that the secure connection error is based on failing to connect to the target, either due to OS issues or proxy/communication issues. A packet capture of the scan would probably expose the exact activity.
In the past we have seen a similar error, 'Could not establish secure channel for SSL/TLS', when FIPS encryption had been enabled. It needs to be disabled for WebInspect and here are the KB details on that issue.
You need to disable the "Local Security Setting System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" policy in Windows. 1. Go to Start > Control Panel > Administrative tools > Local Security Policy. The Group Policy dialog appears. 2. Under the "Local Policies" heading, select "Security Options" and look for the entry, "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." 3. If entry this is enabled then disable it.
On the other hand, WebInspect defaults to using the proxy defined in MSIE, yet it cannot steal the current user's credentials as IE can. It is possible the network proxy requires authentication and the packet capture would reveal Auth failures with the network, similar to 407 Statuscode responses.
You indicated using Web Proxy, but if there is a network proxy at play, you would need to manually add that configuration to the Web Proxy settings in order for it to daisy-chain correctly from browser > Web Proxy > network proxy > scan target the same may be true for the Web Macro Recorder tool and its proxy settings.
Lastly, have you tried using an alternative browser such as Firefox? The "Record" mode of several of WebInspect's tools will hook into IE and spawn a new instance, but they also advertise their active listening port (lower-left corner). This means you can manually configure any other browser to connect through that port and record that traffic. Due to the hooking action, you would need to leave the spawned IE window open, since closing it will single that you are done with your desired recording.
You may find more details on proxy chaining in WebInspect here: http://infoamp.blogspot.com/2010/01/hp-webinspect-
-- Habeas Data
07-06-2012 06:10 PM
OK, I verified the local security policy was not interfering.
There is no network proxie, I install all my devices on the same L2 network as my webInspect server. Both IE and Webinspect and the proxie are configured for a "No Proxie" connection to my network.
Thanks for the info about alternate browsers, I will use it in the future. In this case, however, neither IE9, Chrome or Firefox will connect when the proxie is running.
I captured .pcaps of the transaction between IE9 and my test device when the proxie is not running and when it is and found a difference. IE sends an initial HTTP GET to the device IP, which returns a 302 redirect to the SSL version of teh web interface "https::/<device IP>/home.asp". with the proxy off, IE returns an SSLv3 Client Hello, which is resplied to by the Device. With the Proxie Running, IE returns an SSLv2 Client Hello, which the device replies to with an HTTPS ACK, then FIN,ACK.
So what about the proxie is causing IE to send SSLv2?
07-10-2012 03:42 PM - edited 07-10-2012 04:03 PM
So I've verified that the Device I'm testing does not accept SSLv2 connections, so that's why the browser returns the error. I also verified that SSLv2 is disabled in my IE9 Internet Options Advanced Tab Security section (see attached).
My question remains: Why does IE9 send SSLv2 client hellos when the proxy server is enabled? Put differently: Why, when the proxy is enabled, does EI9 attempt to make a secure connection with an insecure/deprecated SSL version even though it is disabled in the IE properties? Or Better yet? How do I make WebInspect/Proxy/IE9 send and SSLv3 client hello, instead of SSLv2?