Allow DAST to scan sites with self-signed or untrusted certificates

ZAProxy supports the ability to scan sites that have insecure certificates. Examples of insecure certificates include those that are expired, self-signed or are for the wrong host.

Before each scan, DAST runs a check on the target website to see if it returns a successful HTTP response. If not, it retries every 5 seconds. If still failing after 60 seconds in total, it attempts to run the scan anyway.

In the case of an invalid certificate, the response is always considered unsuccessful and the pre-scan check unnecessarily takes 60 seconds.

Proposal

The pre-scan check should check based on the HTTP response, and should not fail if the certificate is invalid. This should be tested to verify that it works as expected.

Old MVC

There are no unresolved discussions. Review the conversation in gitlab-org/security-products/dast!21 (merged)

Let's see if we can safely exit if curl can't reach the target website.