login

Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Sunday, 22 November 2009

[V13P] SSL pain relief

In v1.2.11, Burp introduced a new method of generating the server SSL certificates which are presented to your browser when you connect via Burp Proxy. This involved creating a root CA certificate (per user), which you can install into your browser, and using this to sign each host certificate, thus enabling you to eliminate SSL certificate errors. Read more here.

Unfortunately, in v3.5 Firefox changed the way it handles root CA certificates, which stopped Burp's root CA certificate from working. This problem has now been fixed, and Firefox should accept Burp's certificates again:

Note that if you have previously installed Burp's CA certificate into any of your browsers, you may need to remove this before you can install the new root certificate, as described here.

Another occasional source of SSL pain happens when Burp fails to negotiate connections using the combination of protocols offered by the destination web server. The Java SSL stack contains a few gremlins, and fails to work with certain unusual server configurations. To help you troubleshoot this problem, Burp now lets you specify which protocols should be offered to servers during SSL negotiations:

Note that Burp already implements a few workarounds for SSL issues, and if a negotation fails with the protocols you have configured, Burp will still try some alternative combinations of protocols which often work. So you shouldn't use this new feature as a method of testing which protocols are actually supported by the server. People often ask if Burp can perform these checks, but Java is a bit too far removed from the SSL action for this to be done reliably, so you are better off sticking to a dedicated tool for investigating server SSL configurations.

2 comments:

Rogan Dawes said...

Hmmm, interesting. The CA problem does not manifest in OWASP Proxy, but I do not have the same Basic Constraints that you are showing in your example here.

Rogan Dawes said...

Ah, actually, I am seeing it. Thanks for the heads up!

Blog Archive


User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Copyright 2014 PortSwigger Ltd. All rights reserved.