newman Tunneling socket - self signed certificate

Newman Version (can be found via newman -v): 5.1.0
OS details (type, version, and architecture): linux
Are you using Newman as a library, or via the CLI? 'CLI`
Did you encounter this recently, or has this bug always been there: I just started to use it in this way
Expected behavior: I would like to run newman through OWASP ZAP Proxy in order to do security analysis on an API we have. ZAP is creating self signed certificates for the sites proxied through it. Using the --insecure flag newman should ignore that the ZAP SSL-Certificate is self signed. But what happens is that newman states: GET https://juice-shop.herokuapp.com/rest/user/whoami [errored] tunneling socket could not be established, cause=self signed certificate in certificate chain

Doing the same in Postman while deactivating SSL checks everything works fine.

Command / script used to run Newman: HTTP_PROXY=http://127.0.0.1:8080/ HTTPS_PROXY=https://127.0.0.1:8080/ newman run juice_shop.json --insecure
Sample collection, and auxiliary files (minus the sensitive details):

{
	"info": {
		"_postman_id": "ec21d985-19c7-419c-b0c9-c87274ce3031",
		"name": "ZAP Proxy Test",
		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
	},
	"item": [
		{
			"name": "whoami",
			"request": {
				"method": "GET",
				"header": [],
				"url": {
					"raw": "https://juice-shop.herokuapp.com/rest/user/whoami",
					"protocol": "https",
					"host": [
						"juice-shop",
						"herokuapp",
						"com"
					],
					"path": [
						"rest",
						"user",
						"whoami"
					]
				}
			},
			"response": []
		}
	],
	"protocolProfileBehavior": {}
}

Steps to reproduce the problem:

Start OWASP ZAP Proxy (listening on 127.0.0.1:8080 for http and https)
Start newman using ZAP as Proxy: HTTP_PROXY=http://127.0.0.1:8080/ HTTPS_PROXY=https://127.0.0.1:8080/ newman run juice_shop.json --insecure

Jun 11 '20 19:06 TheRealArlie

Hey @TheRealArlie,

Is this still something that you're having issues with or did you resolve the problem?

Aug 22 '20 07:08 DannyDainton

Hi @DannyDainton , we still have this issue. We were not able to solve it.

Cheers, Robin

Aug 22 '20 08:08 TheRealArlie

Thanks for the update @TheRealArlie 👍

Aug 22 '20 09:08 DannyDainton

Hello i am also getting same error, any further updates?

Apr 15 '21 08:04 sonawanesarvesh

Hello i have resolved this by other way - We used socks-proxy (https://www.npmjs.com/package/newman#using-socks-proxy)

observed - mostly the tunneling issue occurs because of wrong proxy configurations

Apr 15 '21 12:04 sonawanesarvesh

the error tunneling socket could not be established, cause=self signed certificate in certificate chain is thrown by nodejs to intentionally prevent insecure tls connections, which is likely happening when proxying an https endpoint with ZAP's self-signed certificate.

https://nodejs.org/api/cli.html#node_tls_reject_unauthorizedvalue

I don't see any mention of setting NODE_TLS_REJECT_UNAUTHORIZED=0, which likely plays a role here.

Sep 13 '22 21:09 untra

It's been a long time, but our brilliant student finally had time to tackle the problem.

Here our fix:

Start OWASP ZAP Proxy (listening on 127.0.0.1:8080 for http and https)
Save the ZAP CA to a file owasp_zap_root_ca.cer
Start newman using ZAP as Proxy: HTTP_PROXY=http://127.0.0.1:8080/ HTTPS_PROXY=http://127.0.0.1:8080/ newman run --ssl-extra-ca-certs owasp_zap_root_ca.cer juice_shop.json

Our issue was a combination of two problems:

we were not using --ssl-extra-ca-certs owasp_zap_root_ca.cer
we used HTTPS_PROXY=http >>>S<<< ://127.0.0.1:8080/ instead of HTTPS_PROXY=http://127.0.0.1:8080/

We would consider this issue as fixed by using this solution.

Thanks for your help!

Apr 14 '23 12:04 TheRealArlie

Tunneling socket - self signed certificate - OWASP ZAP Proxy