Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Facing Issue with SSL Negotiation using Burp Suite Professional v2020.11.3

cerom | Last updated: Dec 17, 2020 07:37PM UTC

I have the following setup: OS - Kali GNU/Linux Rolling 2020.4 Java - 14.0 Burp Suite Version - Professional v2020.11.3 iPhone Model: XR iOS Version: 14.2 Background: I have an SSL unpinned iOS mobile application installed on iOS and testing the same. While logging into the app it's hitting a sample URL like https://api.target.com to authenticate users. Issue: While I'm able to authenticate to the same page via Safari, whenever I try it in the unpinned mobile app I'm received the error "The client failed to negotiate a TLS connection. Remote host terminated the handshake" as the iOS app trying to initiate the connection to https://api.target.com. Not sure what's the issue here. Can someone help me understand the problem here?

Hannah, PortSwigger Agent | Last updated: Dec 18, 2020 09:29AM UTC

Hi Could you try setting your TLS protocols to TLSv1.2 rather than using TLSv1.3? You can do this by clicking on your Proxy Listener, then going to "Edit > TLS Protocols > Use custom protocols > Uncheck TLSv1.3".

cerom | Last updated: Dec 18, 2020 07:42PM UTC

Hey Hannah, Thanks for your response. I had to disable all the other protocols except TLS 1.2 to fix this issue. So now I have only TLS 1.2 under "TLS Protocols" and this method seems working. If possible provide more details on the following: 1. Any idea why the interception was working on Safari for the same website (https://api.target.com) and not when called via the unpinned iOS app? 2. What's causing the issue with TLS 1.3? Regards, cerom

cerom | Last updated: Dec 18, 2020 08:20PM UTC

Hey Hannah, The above method didn't work actually. I added a "TLS Pass Through" and forgot about that. So, Even after disabling the TLS 1.3 the error with "SSL Negotiation" still persists. Kindly assist here. Regards, cerom

Hannah, PortSwigger Agent | Last updated: Dec 21, 2020 02:28PM UTC

Hi Cerom Is your app publicly available, or is it private? Does the app use any other channels of communication, other than HTTP and HTTPS?

cerom | Last updated: Dec 21, 2020 04:37PM UTC

Hey Hanah, As I already mentioned, I was testing an unpinned version of one of my client app as part of a project. So it's not publicly available. The app only communicates with the server using both HTTP and HTTPS. Please let me know if I can overcome this issue and what's causing this issue. Regards, cerom

Hannah, PortSwigger Agent | Last updated: Dec 22, 2020 12:09PM UTC