Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

2020.11.3 Invisible Proxy does not honor disabled TLS 1.3

Shane | Last updated: Dec 07, 2020 09:57PM UTC

When Burp 2020.11.3 is configured to use an invisible proxy with TLS 1.3 disabled it does not honor that disabled protocol and will still negotiate TLS 1.3. I don't see a place to attach packet captures to demonstrate but the reproduction is simple. 1. Configure burp to use a new proxy on port 6789, configure the TLS Protocols to disable TLS 1.3. 2. Connect to a site using TLS 1.3 through the invisible proxy. e.g. "$ curl -k --tlsv1.3 --connect-to ::127.0.0.1:6789 https://ifconfig.co/ip" EXPECTED: A Fatal TLS Alert for protocol version. ACTUAL: TLS 1.3 is negotiated. The HTTP/S proxy (i.e. non-invisible) does adhere to disabled protocols.

Liam, PortSwigger Agent | Last updated: Dec 09, 2020 02:06PM UTC

Thanks for this report. We''ll do some testing and get back to you ASAP.

Uthman, PortSwigger Agent | Last updated: Dec 11, 2020 10:42AM UTC

Hi, Can you clarify why you are using --connect-to? Is that to connect to the proxy? I have tried running 'curl -k -v --proxy 127.0.0.1:6789 https://ifconfig.co/ip' with the invisible proxy enabled in Burp and TLSv1.3 disabled. I can see that the request uses TLSv1.2 by default. If I re-enable TLSv1.3, that will be used by default instead. - https://ec.haxx.se/usingcurl/usingcurl-proxies If you run 'curl -k --tlsv1.3 -v --proxy 127.0.0.1:6789 https://ifconfig.co/ip' TLSv1.3 is disabled in Burp, you should see an error at the command-line. The error I personally see is: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version * Closing connection 0 curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

Shane | Last updated: Sep 15, 2021 06:21PM UTC

Sincerest apologies for not noticing this update! I'm using "--connect-to" since the application I'm simulating is not proxy aware and therefore wouldn't be sending the usual proxy traffic like a CONNECT. Using "--connect-to" let's curl just try a "direct" HTTP over TLS connection to that endpoint. If you specify a proxy with curl ( e.g. your command "curl -k --tlsv1.3 -v --proxy 127.0.0.1:6789 https://ifconfig.co/ip" ) and do a packet capture you'll see that curl does a "CONNECT" followed by the TLS connection. Also, I've just tried this again with BurpSuite Pro 2021.8.3 and it still seems to be an issue.

Michelle, PortSwigger Agent | Last updated: Sep 17, 2021 02:17PM UTC