Burp Suite User Forum

Create new post

Burp Collaborator Health Check & SSL

steven | Last updated: Jul 17, 2017 10:22PM UTC

Hello, I have deployed a private Collaborator on my internal network, and I am attempting to get SSL to work. We have an internal CA that I have used to issue a wildcard cert. When I run the health check I still get a warning for the 'server https connection (trust enforced)' and 'server smtps connection (trust enforced). The accompanying message for that warning is: An SSL error occurred when connecting to the SMTPS capture server zy11igauibwnbjomu0f1ldohx83lh41m5pu.burp.nrel.gov, but connecting did work if the certificate was not validated. This configuration will work if the server under test does not validate certificates, or has the capture server certificate installed. I am curious if this is a result of the cert coming from an internal CA, and not a publicly trusted CA? Also, polling only works over unencrypted http. Below is my redacted config (which I feel is pretty standard): { "serverDomain" : "burp.domain.com", "workerThreads" : 10, "eventCapture": { "localAddress" : ["xxx.xxx.xxx.xxx", ""], "publicAddress" : "xxx.xxx.xxx.xxx", "http": { "ports" : 80 }, "https": { "ports" : 443 }, "smtp": { "ports" : [25, 587] }, "smtps": { "ports" : 465 }, "ssl": { "certificateFiles" : [ "/directory/to/collaborator/keys/myprivate.key.pkcs8", "/directory/to/collaborator/keys/mycert.crt", "/directory/to/collaborator/keys/intermediate.crt" ] } }, "polling" : { "localAddress" : "xxx.xxx.xxx.xxx", "publicAddress" : "xxx.xxx.xxx.xxx", "http": { "port" : 9090 }, "https": { "port" : 9443 } }, "metrics": { "path" : "Collab", "addressWhitelist" : ["xxx.xxx.xxx.xxx/24"] }, "logLevel" : "INFO" } Thanks for any help anyone can give. -Steven

PortSwigger Agent | Last updated: Jul 18, 2017 07:01AM UTC

Hi Steven, Thanks for your inquiry. That error occurs when Java fails to validate the SSL certificate. So yes, it's due to you using an internal CA. Be aware that Java uses a separate certificate store, not your OS certificate store. You can add your internal CA to the Java store. That's non-trivial, but you can find instructions online. Alternatively, you can use "Poll over unencrypted HTTP" as you mention. For SSL interactions to work, the server you are testing needs to accept your wildcard certificate. Your internal CA needs to be installed in its certificate store, and verifying this has been done correctly is non-trivial. However, many Collaborator detections will work without SSL, so this may not be a major issue. Please let us know if you need any further assistance.

Burp User | Last updated: Jul 18, 2017 02:09PM UTC

Thank you for your response. So, if internally all web sites I test against actually trust the cert (because they trust our internal CA), then is the warning I'm getting technically a false positive? Or will it continue to be an actual issue? -Steven

PortSwigger Agent | Last updated: Jul 18, 2017 02:18PM UTC

Hi Stephen, Yes, that's right. If the test web sites trust the cert, and you poll unencrypted, that warning is a false positive and you can ignore it.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.