Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Bundled JRE can generate DH pairs larger than 2048 bits

Nicolas | Last updated: Nov 13, 2018 10:33AM UTC

Hello, Burp Suite v1.7.37 is bundled with Java 1.8.0_112. This version of Java is quite old and can't generate DH pairs (used for SSL) larger than 2048 bits. The site https://bettercrypto.org/ is good testbed (pair size = 4096), as indicated in the SSL Labs report (search for "Java 8"): https://www.ssllabs.com/ssltest/analyze.html?d=bettercrypto.org&s=195.39.201.143 I wrote a basic Java HTTPS client in order to easily reproduce the bug: https://pastebin.com/FAnHPSA0 # Bundled JRE $ ~/BurpSuitePro/jre/bin/java -version java version "1.8.0_112" Java(TM) SE Runtime Environment (build 1.8.0_112-b15) Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode $ ~/BurpSuitePro/jre/bin/java HttpClient https://bettercrypto.org/ unlimited Switch JCE policy from null to unlimited -> unlimited E: SSL error (java.lang.RuntimeException: Could not generate DH keypair) # Ubuntu package "openjdk-8-jre-headless" $ /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -version openjdk version "1.8.0_181" OpenJDK Runtime Environment (build 1.8.0_181-8u181-b13-1ubuntu0.16.04.1-b13) OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode) $ /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java HttpClient https://bettercrypto.org/ unlimited Switch JCE policy from unlimited to unlimited -> unlimited Result: 200 - Apparently, this bug is exclusively linked to the Java version (JCE policies aren't involved).

PortSwigger Agent | Last updated: Nov 13, 2018 10:53AM UTC

Hi Nicolas, Thanks for letting us know about this. Is this issue preventing you from connecting to some SSL servers? Or is your concern just that we're not using as strong crypto as we could? Please let us know if you need any further assistance.

Burp User | Last updated: Nov 13, 2018 11:18AM UTC

I absolutely don't mind the possible weak crypto. My problem is to not be able to connect to some HTTPS websites.

Liam, PortSwigger Agent | Last updated: Nov 13, 2018 11:24AM UTC

Hi John, is this issue preventing you from connecting to this application?

Burp User | Last updated: Nov 14, 2018 05:39PM UTC

I am experiencing similar issues in 2.0.11a Example URL: https://developer.mozilla.org/en-US/docs/Tools

Burp User | Last updated: Nov 15, 2018 06:35PM UTC

Yes - I can't connect to that site

Liam, PortSwigger Agent | Last updated: Nov 16, 2018 07:55AM UTC

We're able to connect to the site using Burp. Are you using the platform installer version of Burp? Do you see any error messages?

Burp User | Last updated: Nov 16, 2018 05:12PM UTC

I am using the platform installer on Windows 7. Now at version 2.0.12. I was able to connect on another machine with a direct connection. The problem seems to be introduced by our SOCKS proxy. I get an error "Failed to auto-select SSL parameters for developer.mozilla.org" in the Dashboard Browser displays: Burp Suite Professional Error Received fatal alert: handshake_failure

Liam, PortSwigger Agent | Last updated: Nov 19, 2018 10:19AM UTC

Did you make any progress with your SOCKS proxy? It's worth noting that we're working on upgrading to the JRE shipped with Burp 2.x to Java 10.

Burp User | Last updated: Nov 20, 2018 04:15PM UTC

No progress on SOCKS proxy.

PortSwigger Agent | Last updated: Nov 20, 2018 04:35PM UTC

Understood. Burp just uses the Java SOCKS Proxy. If it's not working in your environment, I can only conclude that the Java proxy is not compatible with yours. Unfortunately, there's not much we can do about that.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.