Allow DAST to send certificates for mutual TLS
Problem to solve
Allow DAST to be configured to send certificates with requests for mutual TLS.
Due to technical issues, the scope of this issue has been adjusted so the feature only works for legacy/ZAP-based scans. The feature will not work on browser-based scans. This work will be captured in #325224 (closed).
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Proposal
Allow DAST to be configured to send certificates with requests for mutual TLS.
Further details
Customer reports HTTP:Error 400
with DAST in an environment that requires Mutual TLS.
Available Tier
- Ultimate/Gold
What does success look like, and how can we measure that?
DAST is able to be configured to send certificates with requests for mutual TLS.
Links / references
Customer ticket: https://gitlab-federal-support.zendesk.com/agent/tickets/513 (internal use)
From the customer:
The problem we have is that we use mutual TLS in all of our systems, this also includes all of our user base as well, so when testing with DAST we need to have it send certs with every call made to port 443.
Implementation plan
We'll instruct users to create a protected, File type CI variable named DAST_PKCS12_CERTIFICATE
in the UI. If provided, DAST will use it when making requests by itself, through ZAP, and through Browserker.
Links:
-
https://www.zaproxy.org/docs/desktop/ui/dialogs/options/certificate/ (implement in ZAP)
-
https://chromium.googlesource.com/chromium/src/+/refs/heads/lkgr/docs/linux/cert_management.md
-
Read DAST_PKCS12_CERTIFICATE
into DAST -
Use the certificate when authenticating with the target -
Use the certificate for requests made by ZAP -
Use the certificate for requests made by Browserker -
Update docs with information on using a client-side certificate
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.