Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Facing Issue with SSL Negotiation using Burp Suite Professional v2020.11.3

cerom | Last updated: Dec 17, 2020 07:37PM UTC

I have the following setup: OS - Kali GNU/Linux Rolling 2020.4 Java - 14.0 Burp Suite Version - Professional v2020.11.3 iPhone Model: XR iOS Version: 14.2 Background: I have an SSL unpinned iOS mobile application installed on iOS and testing the same. While logging into the app it's hitting a sample URL like https://api.target.com to authenticate users. Issue: While I'm able to authenticate to the same page via Safari, whenever I try it in the unpinned mobile app I'm received the error "The client failed to negotiate a TLS connection. Remote host terminated the handshake" as the iOS app trying to initiate the connection to https://api.target.com. Not sure what's the issue here. Can someone help me understand the problem here?

Hannah, PortSwigger Agent | Last updated: Dec 18, 2020 09:29AM UTC

Hi Could you try setting your TLS protocols to TLSv1.2 rather than using TLSv1.3? You can do this by clicking on your Proxy Listener, then going to "Edit > TLS Protocols > Use custom protocols > Uncheck TLSv1.3".

cerom | Last updated: Dec 18, 2020 07:42PM UTC

Hey Hannah, Thanks for your response. I had to disable all the other protocols except TLS 1.2 to fix this issue. So now I have only TLS 1.2 under "TLS Protocols" and this method seems working. If possible provide more details on the following: 1. Any idea why the interception was working on Safari for the same website (https://api.target.com) and not when called via the unpinned iOS app? 2. What's causing the issue with TLS 1.3? Regards, cerom

cerom | Last updated: Dec 18, 2020 08:20PM UTC

Hey Hannah, The above method didn't work actually. I added a "TLS Pass Through" and forgot about that. So, Even after disabling the TLS 1.3 the error with "SSL Negotiation" still persists. Kindly assist here. Regards, cerom

Hannah, PortSwigger Agent | Last updated: Dec 21, 2020 02:28PM UTC

Hi Cerom Is your app publicly available, or is it private? Does the app use any other channels of communication, other than HTTP and HTTPS?

cerom | Last updated: Dec 21, 2020 04:37PM UTC

Hey Hanah, As I already mentioned, I was testing an unpinned version of one of my client app as part of a project. So it's not publicly available. The app only communicates with the server using both HTTP and HTTPS. Please let me know if I can overcome this issue and what's causing this issue. Regards, cerom

Hannah, PortSwigger Agent | Last updated: Dec 22, 2020 12:09PM UTC

Hi Cerom Could you send us some screenshots of your issue and your current settings to support@portswigger.net?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.