Burp Suite User Forum

Login to post

2020.11.3 Invisible Proxy does not honor disabled TLS 1.3

Shane | Last updated: Dec 07, 2020 09:57PM UTC

When Burp 2020.11.3 is configured to use an invisible proxy with TLS 1.3 disabled it does not honor that disabled protocol and will still negotiate TLS 1.3. I don't see a place to attach packet captures to demonstrate but the reproduction is simple. 1. Configure burp to use a new proxy on port 6789, configure the TLS Protocols to disable TLS 1.3. 2. Connect to a site using TLS 1.3 through the invisible proxy. e.g. "$ curl -k --tlsv1.3 --connect-to :: https://ifconfig.co/ip" EXPECTED: A Fatal TLS Alert for protocol version. ACTUAL: TLS 1.3 is negotiated. The HTTP/S proxy (i.e. non-invisible) does adhere to disabled protocols.

Liam, PortSwigger Agent | Last updated: Dec 09, 2020 02:06PM UTC

Thanks for this report. We''ll do some testing and get back to you ASAP.

Uthman, PortSwigger Agent | Last updated: Dec 11, 2020 10:42AM UTC

Hi, Can you clarify why you are using --connect-to? Is that to connect to the proxy? I have tried running 'curl -k -v --proxy https://ifconfig.co/ip' with the invisible proxy enabled in Burp and TLSv1.3 disabled. I can see that the request uses TLSv1.2 by default. If I re-enable TLSv1.3, that will be used by default instead. - https://ec.haxx.se/usingcurl/usingcurl-proxies If you run 'curl -k --tlsv1.3 -v --proxy https://ifconfig.co/ip' TLSv1.3 is disabled in Burp, you should see an error at the command-line. The error I personally see is: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version * Closing connection 0 curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

Shane | Last updated: Sep 15, 2021 06:21PM UTC

Sincerest apologies for not noticing this update! I'm using "--connect-to" since the application I'm simulating is not proxy aware and therefore wouldn't be sending the usual proxy traffic like a CONNECT. Using "--connect-to" let's curl just try a "direct" HTTP over TLS connection to that endpoint. If you specify a proxy with curl ( e.g. your command "curl -k --tlsv1.3 -v --proxy https://ifconfig.co/ip" ) and do a packet capture you'll see that curl does a "CONNECT" followed by the TLS connection. Also, I've just tried this again with BurpSuite Pro 2021.8.3 and it still seems to be an issue.

Michelle, PortSwigger Agent | Last updated: Sep 17, 2021 02:17PM UTC

Thanks for getting in touch again :-) We've replicated this and have raised the request with the developers. I don't have any timescales for this as yet but we've linked this thread so we can post back here when there is an update.

You need to Log in to post a reply. Or register here, for free.