Burp Suite User Forum

Create new post

Bug with Extender self._callbacks.makeHttpRequest ?

Smeege | Last updated: Feb 25, 2016 07:45PM UTC

When I use self._callbacks.makeHttpRequest in my extension and the target server responds with an SSL error such as "SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)" I get an alert from Burp in the alerts tab saying "Attempting to auto-slect SSL parameters" as expected. However, the extension seems to hang indefinitely at this point. The attempted request never times out and never triggers an error. This leaves my extension hanging and never performs the next actions. Is there any way via the API, client settings, etc. to prevent this without adding some other check? If I try to make this request manually without doing it through my extension it eventually stops trying to connect and gives me the SSL error in the browser. Thanks!

PortSwigger Agent | Last updated: Feb 26, 2016 08:52AM UTC

The SSL autonegotiation process can take several minutes, and only occurs once per target domain where an SSL problem is encountered. The call to make an HTTP request will block while this is in progress, but won't "hang" in any other sense. Make sure you aren't making HTTP requests from the Swing event thread! You can turn off autonegotiation at Options / SSL / SSL Negotiation.

Burp User | Last updated: Apr 01, 2016 02:27AM UTC

I got "Secure Connection Failed" ~ An error occurred during a connection to aaa.bbb.ccc:8004. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site. I tried to off all Options / SSL / SSL Negotiation [Not Select]: Automatically select compatible SSL parameter on negotiation failure [Not Select]: Enable algorithm blocked by Java security policy (required restart) [Not Select]: Disable Java SNI extension (required restart) [Not Select]: Allow unsafe renegotiation (required for some client certificates) But no improvement, Thanks!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.