Burp Suite User Forum

Enforce sending of TLS client certificate

floyd | Last updated: Dec 03, 2018 11:47AM UTC

When configuring a TLS client certificate in Burp, it is only used when the server requests it in the TLS handshake. However, it would be very helpful if there would be a checkbox, which enforces usage of the TLS client certificate for certain hostnames. There are servers that don't request one in the TLS handshake, but require one to be sent by the client.

PortSwigger Agent | Last updated: Dec 03, 2018 11:47AM UTC

That sounds like a good idea. It's difficult to do this with the Java SSL stack, but if implement an alternative stack based on Bouncy Castle, that would be a useful feature.

You need to Log in to post a reply. Or register here, for free.