Frequently Asked Questions

How to connect to an HTTPS site that reports a handshake failure?

First of all try checking the ‘Enable unsafe SSL/TLS renegotiation’ checkbox in the Certificate Options screen and trying again.

Second check if you've enabled SSLv2Hello in the outbound connection options. If so, disable SSLv2Hello and reload the content to see if the issue is resolved.

If this doesn't help and an HTTPS site reports a handshake failure then try installing the ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’:

The default JCE policy files bundled in this Java Runtime Environment allow for “unlimited” cryptographic strengths.

You will need to restart ZAP for these to take effect.

Note that on OS X we include the JRE with the ZAP application, so you'll need to start ZAP with an installed JRE from the command line, or you can edit located under /Applications/OWASP and comment out the statement shown below(as of version 2.5.0), the script will launch automatically using the JRE from the system:

#if [ "$OS" = "Darwin" ]; then
#  if [ -e ../PlugIns/jre*/Contents/Home/bin/java ]; then
#    pushd ../PlugIns/jre*/Contents/Home/bin > /dev/null
#    JAVA_PATH=`pwd -P`
#    popd > /dev/null
#  fi

Java 8 users note you may encounter SSLHandshakeException, on sites that support RC4 ciphers. More info here, and here. Solution(s): Disable RC4 on the server.

If you're in a corporate or business environment that normally requires the use of an Enterprise proxy you can have ZAP use it as well via the Options : Connections screen. If ZAP can't actually get to the destination (because use of the corporate proxy is required) this can sometimes manifest as an SSL/TLS negotiation failure.

If this doesn't help then get in touch via the User Group.

Error “java.lang.RuntimeException: Could not generate DH keypair”

The error and the likely cause is described in #2626: Java 8 does not support DH parameters with more than 2048 bit. It works with Java 9 (Debian: Install openjdk-9-jre).