Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Disable specific cipher suites or configure specific versions of TLS for the Enterprise web site?

Ogle, | Last updated: Sep 28, 2022 09:26PM UTC

I need to change the Enterprise webserver TLS cipher suites. It looks like it is using JRE v 17.0.4. From other sites, it looks like I need to add a Java configuration parameter to the nohup java command probably in burpsuite_enterprise/burpsuiteenterpriseedition_webserver to remove the "weak" cipher suites or to point to a configuration file to pull the security configuration. Is there another way to do this?

Maia, PortSwigger Agent | Last updated: Sep 29, 2022 01:35PM UTC

Hi, We are looking at removing support for weak TLS cipher suites, but currently, there isn't a stable way of making this change manually as it would be undone by the next java update.

Ogle, | Last updated: Oct 11, 2022 02:49PM UTC

I understand that this would need to be redone after each update. I would greatly appreciate if you would tell me the file to update along with the parameters that I would need to add. For the future, I would add a configuration file that can be referenced. The configuration file can survive past an update.

Ogle, | Last updated: Oct 11, 2022 06:52PM UTC

I fixed the issue at least until the next upgrade. Please confirm. I changed the echo and exec lines in burpsuite_interprise/webServer/component.sh: From: echo "$JRE_HOME/bin/java -cp lib/* -Dlogback.configurationFile=$LOGBACK_FILE -DlogsDirectory=$LOG_DIR -Djava.security.egd=file:///dev/urandom $MAIN_CLASS" exec "$JRE_HOME/bin/java" -cp "lib/*" -Dlogback.configurationFile=$LOGBACK_FILE -DlogsDirectory="$LOG_DIR" -Djava.security.egd=file:///dev/urandom $MAIN_CLASS To: echo "$JRE_HOME/bin/java -cp lib/* -Dlogback.configurationFile=$LOGBACK_FILE -DlogsDirectory=$LOG_DIR -Djava.security.egd=file:///dev/urandom -Djdk.tls.ephemeralDHKeySize=2048 $MAIN_CLASS" exec "$JRE_HOME/bin/java" -cp "lib/*" -Dlogback.configurationFile=$LOGBACK_FILE -DlogsDirectory="$LOG_DIR" -Djava.security.egd=file:///dev/urandom -Djdk.tls.ephemeralDHKeySize=2048 $MAIN_CLASS I ran a test with testssl.sh, and I got this result: LOGJAM (CVE-2015-4000), experimental common prime with 2048 bits detected: RFC7919/ffdhe2048 (2048 bits), but no DH EXPORT ciphers

Maia, PortSwigger Agent | Last updated: Oct 12, 2022 04:05PM UTC