Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Suite SSL Certificate Error (peer not authenticated)

Abhijeet | Last updated: Nov 28, 2016 09:40AM UTC

Hi, We have encounter wired error while intercepting an application with SSL. 1480321180146 Repeater Auto-selected SSL parameters for domainstagxyz.domainxyz.com: default protocols, TLS_DH_anon_WITH_AES_256_GCM_SHA384 1480321180146 Repeater javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated 1480321252531 Proxy javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated 1480321252531 Proxy peer not authenticated I have tried downgrading java version from 8 to 7 even tried with older patchset for java. I'm running Burp with below command line java -Xmx4G -Dsun.security.ssl.allowUnsafeRenegotiation=true -d64 -XX:MaxPermSize=256M -jar burpsuite_pro_v1.7.12.jar

Liam, PortSwigger Agent | Last updated: Nov 29, 2016 09:46AM UTC

Hi Abhijeet Thanks for your message. There are a number of steps that you could try to troubleshoot your SSL issue: 1. Go to project options > SSL > SSL Negotiation > SSL negotiation workarounds and try all of the available options. 2. Go to user options > SSL > Java SSL options and try all of the available options. 3. Connect to the application using your browser and make a note of which protocol and cipher are used. Go to project options > SSL > SSL negotiation > use custom protocols and ciphers and use only the noted protocols. 4. Remove the allowUnsafeRenegotiation flag from the command to launch Burp. Please let us know if you need any further assistance.

Burp User | Last updated: Nov 30, 2016 01:05PM UTC

Hi, I have followed your steps. I have selected individuals protocol for TLS 1.2 (we are moving to ATS for iOS). i removed every command line paramter and started burp below is the error code received for each cipher selected handshake failure true TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 false TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 true TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 true TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 true TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA true TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA true TLS_ECDH_RSA_WITH_AES_256_CBC_SHA true TLS_DHE_DSS_WITH_AES_256_CBC_SHA true TLS_DHE_DSS_WITH_AES_256_CBC_SHA true TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 true TLS_RSA_WITH_AES_128_CBC_SHA256 true TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 true TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 true TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 true TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 true TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA true TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA true TLS_RSA_WITH_AES_128_CBC_SHA true TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA true TLS_ECDH_RSA_WITH_AES_128_CBC_SHA true TLS_DHE_RSA_WITH_AES_128_CBC_SHA true TLS_DHE_DSS_WITH_AES_128_CBC_SHA true TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 true TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 true TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 true TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 true TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 true TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 true TLS_RSA_WITH_AES_128_GCM_SHA256 true TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 true TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 true TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 true TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 true TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA true TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA true SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA true TLS_DH_anon_WITH_AES_128_GCM_SHA256 true TLS_DH_anon_WITH_AES_256_CBC_SHA256 true TLS_ECDH_anon_WITH_AES_256_CBC_SHA true TLS_DH_anon_WITH_AES_256_CBC_SHA true TLS_DH_anon_WITH_AES_128_CBC_SHA256 true TLS_ECDH_anon_WITH_AES_128_CBC_SHA true TLS_DH_anon_WITH_AES_128_CBC_SHA true TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA true SSL_DH_anon_WITH_3DES_EDE_CBC_SHA true TLS_ECDHE_ECDSA_WITH_RC4_128_SHA true TLS_ECDHE_RSA_WITH_RC4_128_SHA true SSL_RSA_WITH_RC4_128_SHA true TLS_ECDH_ECDSA_WITH_RC4_128_SHA true TLS_RSA_WITH_NULL_SHA256 true TLS_ECDH_RSA_WITH_RC4_128_SHA true TLS_ECDH_anon_WITH_RC4_128_SHA true SSL_RSA_WITH_RC4_128_MD5 true SSL_DH_anon_WITH_RC4_128_MD5 true TLS_ECDHE_ECDSA_WITH_NULL_SHA true TLS_ECDHE_RSA_WITH_NULL_SHA true SSL_RSA_WITH_NULL_SHA true TLS_ECDH_ECDSA_WITH_NULL_SHA true TLS_ECDH_RSA_WITH_NULL_SHA true SSL_RSA_WITH_NULL_MD5 true TLS_KRB5_WITH_3DES_EDE_CBC_SHA true TLS_KRB5_WITH_RC4_128_SHA true TLS_KRB5_WITH_3DES_EDE_CBC_MD5 true TLS_KRB5_WITH_RC4_128_MD5 certificate not compiled with constraint true TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 false TLS_RSA_WITH_AES_256_CBC_SHA256 true TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 true TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA true TLS_RSA_WITH_AES_256_CBC_SHA true TLS_DHE_RSA_WITH_AES_256_CBC_SHA true TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 true TLS_RSA_WITH_AES_256_GCM_SHA384 true TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 true TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Protocol disable or cipher suites are inappropriate true SSL_RSA_WITH_DES_CBC_SHA true SSL_DHE_RSA_WITH_DES_CBC_SHA true SSL_DHE_DSS_WITH_DES_CBC_SHA true SSL_DH_anon_WITH_DES_CBC_SHA true SSL_RSA_EXPORT_WITH_DES40_CBC_SHA true SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA true SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA true SSL_RSA_WITH_3DES_EDE_CBC_SHA true SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA true TLS_KRB5_WITH_DES_CBC_SHA true TLS_KRB5_WITH_DES_CBC_MD5 true TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA true TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 true TLS_KRB5_EXPORT_WITH_RC4_40_SHA true TLS_KRB5_EXPORT_WITH_RC4_40_MD5 No negotialble cipher suite true TLS_EMPTY_RENEGOTIATION_INFO_SCSV FYI application works flawlessly with ZAP proxy.

Liam, PortSwigger Agent | Last updated: Nov 30, 2016 01:27PM UTC

Hi Abhijeet Thanks for the additional information. It is worth noting that Burp uses the native Java SSL stack, while ZAP uses an external library. Both implementations have issues with some servers. As a workaround you could proxy Burp through ZAP: - https://support.portswigger.net/customer/portal/articles/2363078

Burp User | Last updated: Dec 04, 2016 02:03PM UTC

Hi, That's exactly what I'm doing right now. But it would be great if you guys fix this issue in upcoming releases. As scanning through ZAP chains cause instability in ZAP.

Liam, PortSwigger Agent | Last updated: Dec 05, 2016 09:37AM UTC

Hi Abhijeet We do plan to improve the way Burp deals with SSL in the future. However, we can't currently provide an ETA.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.