Burp Suite User Forum

Login to post

Getting " The client failed to negotiate a TLS connection to .... Received fatal alert: unknown_ca" on Android

Cody | Last updated: Sep 18, 2022 12:42PM UTC

Hi. I'm trying to intercept the traffic of an android application. My emulator is noxplayer with Android 9. There are no problem with other apps as I can clearly see their http and https outgoing/incoming traffic. I did the hard way to import certificate as root and things been working fine. However there's one specific app that throws this error and doesn't connect at all. "The client failed to negotiate a TLS connection to .... Received fatal alert: unknown_ca" I read most topics on portswigger and none of them fixed my problem. Even Frida couldn't help with ssl pinning. As a matter of fact, I highly doubt that this application is blocking ssl pinning because it's fairly new and there's definitely something wrong on my end. (Its a game btw that uses unreal engine 5) To recap: App DOESNT work when I set proxy settings and try to capture the traffic with burp suite and as soon as I turn off the proxy settings, it starts working again. Things I tried that didn't work: Removed all burp files (even with registry records) and downloaded the latest version. Imported Portswiggers certificate on user and system level several times via root. Made a custom certificate using nvisio's tutorial and imported it as user/system via root. Used +20 ssl pinning scripts with Frida. Made new android emulators (to make sure my emulator is not faulty) Used College Proxy instead of system proxy configs to drive traffic to burp suite (thought they can detect system proxies) Disabled tls 1.3 on burp suite. Disabled https 2.0 on burp suite. Used OWASP Zap along with burp suite as proxy upstream (suggested in one topic) ... I don't know if it can help or not but I can see "b-graph.facebook.com" throws the very same error. BUT literally everything else other than the app and the mentioned url above is fine. I read on stackoverflow that: "If you get an alert unknown_ca back from the server, then the server did not like the certificate you've send as the client certificate, because it is not signed by a CA which is trusted by the server for client certificates." Is this the correct answer and does burp have any solution for this? How can I capture the traffic... This is driving me crazy

Ben, PortSwigger Agent | Last updated: Sep 19, 2022 09:39AM UTC

Hi Cody, If you are able to successfully proxy traffic from other mobile apps and web traffic from your browser, using your existing setup, then that would suggest the issue lies with interacting with this other app. You mention that you doubt the app is performing certificate pinning - is the app one that you have access to the source code (in order for you to make this assumption) or is this simply an app that you are trying to proxy? Finally, is the app itself publicly available?

Cody | Last updated: Sep 19, 2022 06:34PM UTC

Hi. I do not have access to its source code (although I searched for strings like "ssl pinning", "pinning" and things like that via jdax) To make sure there are no ssl pinnings. Also based on my experience, newly created apps by new companies are 99% vulnerable. And lastly, I tried +20 scripts via Frida and got the same error with every single one of them. The app itself is not publicly available because it's still in Alpha version and sharing its name/link here would not be ideal but I can share it with your team via email if it can help. Thank you

Ben, PortSwigger Agent | Last updated: Sep 21, 2022 11:26AM UTC

Hi Cody, If it is an app that we can readily get hold of then we can take a look (although I would suspect that we are going to see the same behaviour as you). You can send us an email at support@portswigger.net if you wish to provide this information there.

You need to Log in to post a reply. Or register here, for free.