Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Client certificate authentication results in Received fatal alert: decrypt_error

GarlicCheese | Last updated: Apr 28, 2020 10:53AM UTC

I'm currently testing a web application that relies on client certificates for the authentication. I'm suspecting that they rely on the Common Name of in the client cert, to assign roles to the authenticating user. I've recreated the client certificate (issuer and subject information) for the application with openssl and a self signed ca and p12 (see process below): CA: openssl genrsa -aes256 -out ca-key.pem 2048 openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 1024 -out ca-root.pem -sha512 CLIENT CERT/KEY: openssl genrsa -out client-key.pem 4096 openssl req -new -key client-key.pem -out client.csr -sha512 openssl x509 -req -in client.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out client-pub.pem -days 365 -sha512 openssl pkcs12 -export -out client.pfx -inkey client-key.pem -in client-pub.pem Now if I try to access the application using the new client certificate, I'm facing the following error: Error Received fatal alert: decrypt_error Is this an issue of Java/Burp, the web application or do I misunderstand the process of client authentication at some point?

Uthman, PortSwigger Agent | Last updated: Apr 28, 2020 12:29PM UTC

Hi, Have you imported the certificate into Burp under User options > TLS > Client TLS Certificates?

GarlicCheese | Last updated: Apr 28, 2020 12:43PM UTC

Pretty much so. I've used the project options (override user options), but that shouldn't make much of a difference I assume. The actual client certificates work without an issue, just the self signed certificates results in this problem.

Uthman, PortSwigger Agent | Last updated: Apr 28, 2020 02:08PM UTC

Does your self-signed certificate work when not proxying through Burp? Have you configured any options under Project options > TLS Negotiation? Please enable Performance Feedback > Log exceptions to a local directory under User options > Misc, recreate the error, and see if any exceptions are logged there. If they are, please send a Debug ID and more details on the exceptions to support@portswigger.net.

GarlicCheese | Last updated: Apr 29, 2020 05:25AM UTC

The connection fails with "Error code: SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT", withou Burp, so this is an issue on my side not Burp. Thank you.

GarlicCheese | Last updated: Apr 29, 2020 07:27AM UTC

Correction: the error without burp is also "Error code: SSL_ERROR_DECRYPT_ERROR_ALERT"

Uthman, PortSwigger Agent | Last updated: Apr 29, 2020 07:55AM UTC

Thanks for the update. Please let me know if there is anything else you need help with!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.