Burp Suite User Forum

Login to post

iOS 13 + Burp SSL Certs Not Able to be Fully Trusted

Dan | Last updated: Oct 27, 2019 05:11PM UTC

I've followed the appropriate steps to fully trust the burp cert, but as of iOS 13 this does not work and HTTPS requests fail. Looking at iOS 13 release notes, I found this: https://support.apple.com/en-us/HT210176 -- I suspect this is related, though I have not had time yet to inspect the certs being generated by Burp to confirm one or more of these new restrictions are being violated. Can anyone 1) confirm this is an issue with iOS 13+ and 2) is there any workaround to this or timeline for addressing in Burp default functionality?

Burp User | Last updated: Oct 28, 2019 08:47AM UTC

Hello, we facing the same issue with the certificates installed and created by Burp. See IOS changes (https://support.apple.com/en-us/HT210176)´. Is there a way to register own certificates, or is the already a fix / update available?

Liam, PortSwigger Agent | Last updated: Oct 28, 2019 09:06AM UTC

We have tested an iOS device that is running version 13.1.2 and we were able to successfully proxy HTTPS traffic through Burp Suite proxy instance running on my computer after installing the certificate and manually configuring my proxy settings. I'm assuming you have seen our guides on configuring your iOS device to work with Burp Suite? https://support.portswigger.net/customer/portal/articles/1841108—Mobile%20Set-up_iOS%20Device.html https://support.portswigger.net/customer/portal/articles/1841109-Mobile%20Set-up_iOS%20Device%20-%20Installing%20CA%20Certificate.html

Liam, PortSwigger Agent | Last updated: Oct 28, 2019 09:12AM UTC

Additionally, we've upgraded to iOS 13.1.3 and not been able to reproduce this issue.

Liam, PortSwigger Agent | Last updated: Oct 28, 2019 09:21AM UTC

Did this issue affect all applications? Are you encountering an error message in Burp's Event log?

Burp User | Last updated: Nov 01, 2019 09:25AM UTC

After I upgraded to 13.2, I encountered a situation where I chose the certificate trust and could not capture https. What should I do?

Burp User | Last updated: Nov 14, 2019 01:39PM UTC

Same problem, in my case: - works in iOS 12.4 - does not work in iOS 13.1.2 Cert is installed, marked as verified, and then authorised in the Trust Store config. iOS Safari just fails. iOS Chrome hints with ERR_CERT_WEAK_KEY, you can make an exemption and proceed. This is probably happening because the Portswigger cert is 1024 bits, which should be considered "a functional bug" since some clients will refuse it in any case. Not sure if Burp allows to select 2048 bits when regenerating.

Burp User | Last updated: Nov 15, 2019 08:48AM UTC

I can confirm this error can be reproduced in iOS 13.2.2 due to the 1,024-bit RSA key size of the digital certificates generated by Burp: - https://support.apple.com/en-us/HT210176: "Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS." Would it be possible in the next version to force Burp to generate 2,048-bit certificates by default? Thanks, Raul

Liam, PortSwigger Agent | Last updated: Nov 15, 2019 11:46AM UTC

Thanks for these reports. We've flagged this issue for investigation. We'll update this thread when we have something to share.

Burp User | Last updated: Nov 15, 2019 03:17PM UTC

I have iOS 13.2.2 running on iphone X. The Burp CA is 2048 bits and i am running the latest burp on mac os Mojave. I was able to capture https data from websites, such as, twitter.com, facebook.com. But was unable to capture any data to apple.com Hope this information could help to find out the problem.

Hannah, PortSwigger Agent | Last updated: Nov 19, 2019 09:13AM UTC

Thank you for that information. We have been able to successfully reproduce the behaviour you are experiencing on iOS 13.2.3. We were unable to receive any data from apple.com in Safari, but Google Chrome functioned after dismissing a warning, so this could be a potential workaround for the time being. We have created a request for our development team to investigate, and will notify this thread once we have more information.

Ben, PortSwigger Agent | Last updated: Nov 25, 2019 02:18PM UTC

Hi, This is still under investigation by the development team. As noted, we will notify this thread when we have some further information.

Burp User | Last updated: Jan 12, 2020 09:48PM UTC

Any update of this?

Burp User | Last updated: Jan 16, 2020 08:23PM UTC

I have not been able to make it work on Google Chrome. The site doesn't load

Ben, PortSwigger Agent | Last updated: Jan 17, 2020 11:12AM UTC

Thank you for the further information. We are glad that you were able to resolve your issue.

Burp User | Last updated: Jan 24, 2020 04:16PM UTC

Having a 4096 bits key did not work for me. Here are the details : # Generate private key openssl genrsa -aes256 -out myBurpCA.key 4096 # Generate Certificate openssl req -new -x509 -days 3650 -key myBurpCA.key -out root-ca.crt -subj "/C=CA/O=Burp/OU=Certification Services/CN=MyBURPRootCA/" #Export to pkcs12 format for import into burp openssl pkcs12 -export -out BurpRootCA.pfx -inkey myBurpCA.key -in root-ca.crt

Burp User | Last updated: Jan 24, 2020 04:45PM UTC

With a 365 days root CA, it is now working. The document referred above, helped : https://support.apple.com/en-us/HT210176

Burp User | Last updated: Jan 28, 2020 07:26PM UTC

Ben Wright worked for you, can you intercept https in iOS 13?

Burp User | Last updated: Jan 28, 2020 07:27PM UTC

te funciono?, Ben Wright , puedes interceptar https en IOS 13?

Ben, PortSwigger Agent | Last updated: Jan 29, 2020 08:18AM UTC

Hi Jose, We are currently working on fixing this issue and will update this thread when we have some more news. In the meantime, perhaps you could check out Guillaume's solution and see if that works for you?

Ben, PortSwigger Agent | Last updated: Feb 06, 2020 09:26AM UTC

Hi, We have released an update (Burp Professional Version 2020.1) that incorporates your feedback and should now have resolved the iOS certificate issue. Please feel free to update and provide us with any new feedback to help improve the product further.

Thomas | Last updated: Apr 28, 2020 11:31PM UTC

Hi, What about the Community version? I have tried yesterday and I was not able to get it to work.

Liam, PortSwigger Agent | Last updated: Apr 29, 2020 01:03PM UTC

Thomas, are you encountering an error message?

Thomas | Last updated: Apr 29, 2020 10:17PM UTC

I do all the usual steps: 1. go to http://burp 2. download cert 3. install profile 4. active it in settings -> about ... And I still get "The client failed to negotiate a TLS connection" ... I removed the old profile and added a new one when I updated to the latest version. But no change.

Huite | Last updated: Apr 30, 2020 09:34AM UTC

I can't visit the appstore anymore or use testflight with the proxy enabled. BS: v2020.4 iOS:13.4.1 Most seen errors in the dashboard: The client failed to negotiate a TLS connection to *: Remote hoste terminated the handshake. CA is in place and this has worked before on this phone with Burpsuite 2020.2 and older iOS version. Some sites are able to load with SSL but 90% seem to fail with the latest iOS and burpsuite.

Liam, PortSwigger Agent | Last updated: May 01, 2020 06:55AM UTC

Thomas, which version of Burp are you using? Are you using the platform installer version? Is the site you are trying to access publicly accessible?

Liam, PortSwigger Agent | Last updated: May 01, 2020 07:01AM UTC

Huite, for iOS 13.4.1 you may need to generate a CA cert issued before July 1, 2019, else it’s rejected due to missing ExtendedKeyUsage and 10-year validity, see https://support.apple.com/en-us/HT210176.

Adam | Last updated: May 04, 2020 10:44PM UTC

I have iOS 13.4.1 and and I can access the web site but not secure. So it is not working as it used to. Working fine on iOS 12 I did upgrade to v2020.4, may be that's why?

Adam | Last updated: May 04, 2020 10:48PM UTC

The PortSwigger CA I have on the device has: Not Valid Before: 4/5/14, 3:42:10 pm Not Valid After: 4/5/30, 3:42:10 pm Do I still need to follow what is in the below link: https://support.apple.com/en-us/HT210176?

Adam | Last updated: May 04, 2020 11:02PM UTC

Update: I reverted back to burp v2020.2 and all working fine now. definitely there is something off in the new release of burp v2020.4

Thomas | Last updated: May 05, 2020 04:20PM UTC

> Thomas, which version of Burp are you using? Community Edition v2020.4 > Are you using the platform installer version? Yes. MacOs > Is the site you are trying to access publicly accessible? Yes. google.com --------------- Adam, thanks for the heads up. Will try to revert to v2020.2

Thomas | Last updated: May 05, 2020 04:26PM UTC

I tried v2020.2 and still doesn't work.

Nik | Last updated: May 05, 2020 07:08PM UTC

Got this working for me also. The workaround I used was to roll back to 2020.2. You can probably get this working with 2020.4 if you generate a CA certificate that meets the iOS 13 requirements (https://support.apple.com/en-gb/HT210176) and load it into burp. This was a real pain to debug because of caching and super inconsistent behaviour.

Thomas | Last updated: May 05, 2020 10:30PM UTC

Nik, that means you didn't use the CA certificate that Burp provides automatically, correct?

Liam, PortSwigger Agent | Last updated: May 06, 2020 08:33AM UTC

We're still in the process of trying to reproduce this issue. We'll update this thread when we have made some progress.

Liam, PortSwigger Agent | Last updated: May 06, 2020 12:50PM UTC

We have found that Safari doesn’t work well with TLS1.3 with Java 13. We recommend using Java 14 to run burp or disable TLS1.3. The latter needs you to start burp with java -Djdk.tls.server.protocols=TLSv1,TLSv1.1,TLSv1.2 -jar burp_pro.jar There may still be issues with the certificates we generate, but on macOS, everything is good if you disable TLS1.3. We need to do more testing on iOS.

Thomas | Last updated: May 07, 2020 01:54AM UTC

Thanks Liam. I did update the java from java version "1.8.0_131" Java(TM) SE Runtime Environment (build 1.8.0_131-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode) to java version "14.0.1" 2020-04-14 Java(TM) SE Runtime Environment (build 14.0.1+7) Java HotSpot(TM) 64-Bit Server VM (build 14.0.1+7, mixed mode, sharing) Some things improved. For one now safari is actually saying the certificate is not valid. I did download v2020.2.1 community version and redid the cert, but no change.

Thomas | Last updated: May 07, 2020 01:54AM UTC

Thanks Liam. I did update the java from java version "1.8.0_131" Java(TM) SE Runtime Environment (build 1.8.0_131-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode) to java version "14.0.1" 2020-04-14 Java(TM) SE Runtime Environment (build 14.0.1+7) Java HotSpot(TM) 64-Bit Server VM (build 14.0.1+7, mixed mode, sharing) Some things improved. For one now safari is actually saying the certificate is not valid. I did download v2020.2.1 community version and redid the cert, but no change.

Liam, PortSwigger Agent | Last updated: May 07, 2020 06:58AM UTC

Thanks for the update, Thomas. Which version of macOS are you currently using? At what point did you encounter the initial issue? Did this work previously?

Thomas | Last updated: May 07, 2020 03:34PM UTC

Mac version ProductName: Mac OS X ProductVersion: 10.14.6 BuildVersion: 18G4032 It definitely worked a while ago. I haven't done much iOS debugging so don't know when it stopped working, but I have not upgraded my OS, although I do install security patches.

Liam, PortSwigger Agent | Last updated: May 11, 2020 04:43PM UTC

Thomas, I have a test machine set up with the same macOS. Could you describe your exact steps to reproduce the issue currently?

Thomas | Last updated: May 11, 2020 08:26PM UTC

Laim, There is not much to it. I installed the burp from your package installer you have on your site. I also installed separately java se v14. I turn burp on, turn on proxy, connect my iOS device to it. I go to http://burp. Download the CA certificate. I install the profile and then go to about to turn it on as a root certificate for the whole device. Then I go to https://google.com and I get TLS violation

Liam, PortSwigger Agent | Last updated: May 12, 2020 03:38PM UTC

Thomas, is the issue the same across a variety of browsers? Firefox, Chrome, Safari?

Thomas | Last updated: May 19, 2020 10:55PM UTC

I only use safari on iOS. But any app reports the same, so it's generally not working for anything else either.

Liam, PortSwigger Agent | Last updated: May 21, 2020 11:12AM UTC

would it be possible to try using another browser on your iOS device?

Thomas | Last updated: May 25, 2020 02:35AM UTC

Sure but it doesn't make sense that it would work considering that no other app is working either. I do need to be able to capture the other apps traffic.

Liam, PortSwigger Agent | Last updated: May 25, 2020 10:06AM UTC

Fair point Thomas, does Burp Suite 2020.2 operate as a workaround?

Nick | Last updated: May 27, 2020 04:15PM UTC

I've run into this same problem. Burp Suite Pro 2020.4.1. I have previously done lots of iOS proxying via Burp with a previous iOS version (I think it was 13.3.1) and previous versions of Burp. I tried to fire up the proxy again today after not touching it for awhile. In the meantime, I had upgraded from 2020.2 Community Edition and I'm now on iOS 13.5. It's jailbroken with checkra1n, though that shouldn't make a difference. I can successfully install the Burp CA on the device. When I go to any https site, though, I get "This Connection is Not Private" in Safari. Chrome and Firefox have the same problem, along with every other app. http sites work fine, of course. I often get requests and responses listed in the HTTP history in Burp, but the apps balk. When I tried to roll back to 2020.2 Pro, visiting http://burpsuite on the device results in this Burp error page: "Error: Unknown host: burpsuite". So I can't even download the CA cert. This worked previously, so I don't know what's wrong now. I don't have an upstream proxy. Clearly, Burp is in place or I wouldn't get the Burp error. My Java version hasn't changed: openjdk version "11.0.6" 2020-01-14 OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.6+10) OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.6+10, mixed mode) Gotta be honest, this is super frustrating. I don't want to be fighting with my tools. At least I found this thread, thanks Liam for being so active here. I hope we can identify a workaround swiftly. I'll let you know if I discover anything else.

Nick | Last updated: May 27, 2020 04:21PM UTC

The "unknown host" error was because I was using http://burpsuite and not http://burp. When I use the latter, I successfully downloaded and installed the CA cert again with 2020.2. But that doesn't fix the problem, I'm still getting "This Connection is Not Private" or an equivalent error in all browsers.

Nick | Last updated: May 27, 2020 04:22PM UTC

Oh, and I'm on Mac OS 10.14.6 as well.

Nick | Last updated: May 27, 2020 04:50PM UTC

I tried following the steps above to generate my own 365-day certificate as above: $ openssl genrsa -aes256 -out myBurpCA.key 4096 $ openssl req -new -x509 -days 365 -key myBurpCA.key -out root-ca.crt -subj "/C=CA/O=Burp/OU=Certification Services/CN=MyBURPRootCA/" $ openssl pkcs12 -export -out BurpRootCA.pfx -inkey myBurpCA.key -in root-ca.crt I set a password of my own choosing on the .key file, and then reused it when creating the .pfx file. When I go to import this file into Burp on 2020.2, I ran into the IllegalArgumentException error described here: https://forum.portswigger.net/thread/error-importing-custom-ca-41d4d26520 When I upgraded again to 2020.4.1, I was able to successfully import the custom certificate into Burp. But although the Burp landing page shows when I visit http://burp, I'm not seeing any Proxy traffic at all in HTTP history. And the certificate doesn't even work: I'm getting the same "This Connection Is Not Private" error. So it looks like this workaround is a bust for me.

Marcus | Last updated: May 28, 2020 05:50PM UTC

I have tried to capture SSL traffic on a new iPhone SE on 13.5 and it wasn't possible either.

Nick | Last updated: May 31, 2020 03:41PM UTC

What's happened to Ben and Liam?

Baris | Last updated: May 31, 2020 07:53PM UTC

I faced same problem with ios 13.5 and macos 10.15.4. I use burpsuite community edition 2020.4.1 and Java version is 1.8

Liam, PortSwigger Agent | Last updated: Jun 01, 2020 01:12PM UTC

We're still investigating this issue. We'll update this thread when we have something to share.

Bertrand | Last updated: Jun 02, 2020 09:26PM UTC

Same issue with iOS13, PortSwuigger CA isn't fully trusted.

Michelle, PortSwigger Agent | Last updated: Jun 08, 2020 02:51PM UTC

Can I check what version of Burp you are using, please? Are you also using 2020.4.1?

Bertrand | Last updated: Jun 08, 2020 06:19PM UTC

Yes I'm using Burp Suite Community Edition v2020.4.1

Dylan | Last updated: Jun 09, 2020 02:03AM UTC

I'm on an iPhone SE 2 running 13.5 and jailbroken with unc0ver 5.0.1. I am using Burp Suite Pro 2020.5 and am having the same issues as the others. Any suggestions?

Michelle, PortSwigger Agent | Last updated: Jun 09, 2020 11:00AM UTC

Thanks for confirming the details, that help as we're investigating this. If you use an earlier version of Burp (e.g. 2020.2) do you see the same issue?

Michelle, PortSwigger Agent | Last updated: Jun 09, 2020 11:45AM UTC

Could you also let us know if the issue still occurs if you run the proxy with just TLS1.2? To test this you would need to run the JAR manually with the following option: java -Djdk.tls.server.protocols=TLS1.2 -jar burp_pro.jar

gilc83 | Last updated: Jun 11, 2020 08:47AM UTC

I think I have a lead: Apple states that "TLS server certificates must have a validity period of 825 days or fewer". I tried to use a custom certificate and created it using Nick's instructions above, and the certificate that was created is indeed valid for 1 year. However, when surfing http://burp from the iPhone and trying to download the root CA certificate, it is marked as valid till 2030 for some reason, and therefore it does not comply with Apple's new prerequisites. I'll try to import the root certificate manually to the iPhone and see what happens.

gilc83 | Last updated: Jun 11, 2020 08:47AM UTC

I think I have a lead: Apple states that "TLS server certificates must have a validity period of 825 days or fewer". I tried to use a custom certificate and created it using Nick's instructions above, and the certificate that was created is indeed valid for 1 year. However, when surfing http://burp from the iPhone and trying to download the root CA certificate, it is marked as valid till 2030 for some reason, and therefore it does not comply with Apple's new prerequisites. I'll try to import the root certificate manually to the iPhone and see what happens.

gilc83 | Last updated: Jun 11, 2020 10:42AM UTC

Update: manually importing the PSX\CER file to the iPhone did not help. I think that Burp ignores the custom certificate and still generates his own certificate. Seems like a bug.

gilc83 | Last updated: Jun 11, 2020 11:45AM UTC

Update #2: DO NOT use Edit Proxy Listener -> Certificate -> Use a custom certificate. It will not work. You should instead use Import / Export CA certificate option and then the certificate you import affects communication. I suspect that now this is what makes the certificate not valid, from Apple's demands: TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.

gilc83 | Last updated: Jun 11, 2020 11:45AM UTC

Update #2: DO NOT use Edit Proxy Listener -> Certificate -> Use a custom certificate. It will not work. You should instead use Import / Export CA certificate option and then the certificate you import affects communication. I suspect that now this is what makes the certificate not valid, from Apple's demands: TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.

gilc83 | Last updated: Jun 11, 2020 12:29PM UTC

Finally got this working!!! Here are the full instructions: 1. Generate a certificate with the following commands (notice the extendedKeyUsage addition to Nick's answer above) openssl req -x509 -nodes -newkey rsa:4096 -keyout myBurpCA.key -out root-ca.crt -days 365 -subj "/C=CA/O=Burp/OU=Certification Services/CN=MyBURPRootCA/" -addext "extendedKeyUsage=1.3.6.1.5.5.7.3.1" openssl pkcs12 -export -out BurpRootCA.pfx -inkey myBurpCA.key -in root-ca.crt 2. Go to burp and use the "Import / Export CA certificate" option and select your newly generated certificate (user the pfx file). **DO NOT** use "Edit Proxy Listener -> Certificate -> Use a custom certificate". It will not work (this is a custom specific certificate, you still want a CA-signed per-host certificate). 3. Go to the iPhone, configure the Burp Suite proxy as the proxy server and go to http://burp 4. Download and install the certificate by click the top right corner, downloading it ("Allow") and then going to settings -> Profile Downloaded -> Install, to finish the additional installation steps. 5. Authorize the installed certificate for TLS authentication by going to Settings > General > About > Certificate Trust Settings, and then toggle "Enable Full Trust for Root Certificates" on for the certificate. That's it! Certificate is now valid for TLS authentication.

Michelle, PortSwigger Agent | Last updated: Jun 11, 2020 01:06PM UTC

Thanks for posting and sharing your instructions. Can I ask which version of iOS and which version of Burp you used in these tests?

Israel | Last updated: Jun 11, 2020 10:31PM UTC

gilc83 which version of Java do you use ?

jungletsubasa | Last updated: Jun 13, 2020 03:24AM UTC

@gilc83 This "Last updated: Jun 11, 2020 12:29PM UTC" solution did not work with ios 13.3.1 and 13.5.1 and using burp pro 2020.5 The solution was to revert back to burp pro 2020.2.1 It works now! Thanks, Tsubasa

Michelle, PortSwigger Agent | Last updated: Jun 15, 2020 08:55AM UTC

Hi Tsubasa Thanks for the update With 2020.5 did you try running the proxy with just TLS1.2? To test this you would need to run the JAR manually with the following option: java -Djdk.tls.server.protocols=TLS1.2 -jar burp_pro.jar

Dylan | Last updated: Jun 16, 2020 02:31AM UTC

I'm currently having an issue activating Burp Pro, but I installed Burp Community on my newly installed Manjaro laptop. I followed gilc83's guide from 11JUN2020 and it worked without a hitch. I am now able to intercept and inspect HTTPS requests made with Safari. Most other programs seem to have issues, but I feel like it's a cert pinning issue with iOS 13.5 rather than anything that would be able to be solved with Burp Suite. I'll post more information once I figure it out. Burp Version: 2020.5 Community Device: iPhone SE 2 (2020) iOS: 13.5

Dylan | Last updated: Jun 16, 2020 06:11PM UTC

Got my license issues resolved and can confirm I'm having no issues on 2020.5 Pro after following gilc83's instructions. I don't know exactly how necessary it is, but you might also want to follow the below instructions to install this update SSL Kill Switch 2 tweak I found on reddit: https://www.reddit.com/r/TweakBounty/comments/gw1ems/40135_ssl_kill_switch_2_update/ 1. Open Cydia, go to Sources => Edit => Add and add the following URL: * https://julioverne.github.io 2. Navigate to 'julioverne's Repo' => Tweaks => SSL Kill Switch 2 (iOS 13) and Install it 3. Open Settings => SSL Kill Switch 2 => Toggle 'Disable Certificate Validation' to on (green) I haven't seen any issues with inspecting HTTPS traffic after doing this. I did encounter something I hadn't seen before which is the 'octet-stream' content type. It looks like a bunch of garbled text, so I thought it was still encrypted somehow, but it is not, that's just a data stream of a document or binary that is being sent.

Pavel | Last updated: Jun 17, 2020 02:16PM UTC

One more config that works for me: add external .vmoption file with protocols settings. Details below: Environment: Host OS: macOS Catalina 10.15.5 Java: 13.0.1 Burp Suite Professional: standalone version 2020.5 iOS: 13.4.1 Steps: 1. Create file burp.vmoption file and there 2 lines as: -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.server.protocols=TLSv1,TLSv1.1,TLSv1.2 2. Save file somewhere 3. Open vmoptions.txt, located in Contents/ dir of your app installation 4. Uncomment line "# -include-options [path to other .vmoption file]" and replace "[path to other .vmoption file]" with path to newly created burp.vmoption file 5. Save vmoptions.txt and re-open your Burp (make sure your proxy listeners are set up, same as your iPhone - is set up with default certificate and proxy is enabled) All 3rd party applications traffic intercepted well. Useful for those who uses standalone installation of Burp and you do not need to re-generate certificates or create your own.

Felipe | Last updated: Jun 23, 2020 04:50PM UTC

Hi everyone! I was able to run successfully burp with safari and apps in iOS: Java Version: java 14.0.1 2020-04-14 Java(TM) SE Runtime Environment (build 14.0.1+7) Java HotSpot(TM) 64-Bit Server VM (build 14.0.1+7, mixed mode, sharing) iOS Version: 13.3 Burp Version: Professional 2020.5.1 Mac OS version: 10.14.6 I just started Burp with the option that PortSwigger Agent said: java -Djdk.tls.server.protocols=TLS1.2 -jar burp_pro.jar

Felipe | Last updated: Jun 23, 2020 06:21PM UTC

There still some apps (app store for example) that I can't go through

Michelle, PortSwigger Agent | Last updated: Jun 24, 2020 11:50AM UTC

Can you tell us a bit about the apps that you're having problems with? Do you see any errors?

Felipe | Last updated: Jun 26, 2020 06:17PM UTC

Yes! If I run Burp without TLS 1.3 I have 90% of the iphone with proxy, but I have problems with Apple Services. For example I can't proxy the feature of "Login with Apple ID", I can proxy the "Login with FB and Google", but everything related with apple, the connection broke. If I try to enter to apple.com, there is a certificate issue that apple is not trusting to the Burp Certificate. I can't also enter to app stores and any services related to apple. I really appreciate your help on this. I have tested with: iOS: 13.3 & 13.5.1 Burp: Pro 2020.5.1 & community 2.1.04 Regards

Felipe | Last updated: Jun 26, 2020 06:20PM UTC

I you go trough https://appleid.apple.com/ in a Iphone, it will ask for your finger in order to connect with your apple id account. This authentication fails and I can't see it in burp. If you try to connect with any apps that have "Login with Apple" you will see the same issue.

Michelle, PortSwigger Agent | Last updated: Jun 29, 2020 01:04PM UTC

Hi We've replied to the email you sent us as it would be good to get some screenshots of what you are seeing and a bit more detail on your setup

gilc83 | Last updated: Jul 02, 2020 02:10PM UTC

Hi all I indeed user Burp version v2020.1 and Java8: java version "1.8.0_221" Java(TM) SE Runtime Environment (build 1.8.0_221-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.221-b11, mixed mode) Follow the guide I wrote above and it would work.

Dylan | Last updated: Jul 11, 2020 08:29PM UTC

Since a lot of people (myself included) seem to still be having some issues, I went ahead and compiled every single step you should need to take into a single ordered page. I can confirm that following these instructions allows Burp Suite 2020.6 to work with iOS 13.5 on my iPhone SE 2 jailbroken with unCover. I'm able to snoop on the App Store, anything I've tried in Safari, the MANY calls that the iPhone makes to apple.com and icloud.com. I have yet to have anything not work. *knocks on wood* Hope this help some people! https://bytepen.gitlab.io/toys/iphone-se-2/tools/burpsuite.html

Michelle, PortSwigger Agent | Last updated: Jul 13, 2020 09:34AM UTC

Thanks for sharing that. In Burp 2020.6 you can also now change the TLS settings for the proxy in the UI under Proxy -> Options -> Proxy Listeners -> Edit the TLS Protocols

svikramjeet | Last updated: Jul 21, 2020 05:54AM UTC

Most seen errors in the dashboard: The client failed to negotiate a TLS connection to *: Remote hoste terminated the handshake. CA is in place and this has worked before on this phone with Burpsuite 2020.2 and older iOS version. Some sites are able to load with SSL but 80% seem to fail with the latest iOS and burpsuite. BS : v2020.6 iOS : 13.5.1 Model : iPhone SE 2

Chris | Last updated: Jul 21, 2020 08:32AM UTC

Thanks for the detail here. I was experiencing a similar and I presume related issue; the iOS browser happily accepted the CA cert, but _sometimes_ I'd get the network connection error in Safari, etc. Disabling TLS1.3, at least between client and burp, sorted that. This is what I've ended up with in my BurpSuitePro.vmoptions: # Support TLS1.0 - 1.2 between burp and server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 # Support TLS1.2 only between burp and client (browser/mobile) -Djdk.tls.server.protocols=TLSv1.2 This also seems to have reduced the number of TLS connection errors in Burp's event log. Thanks to all who suggested this. (Note, I was experiencing this on Burp up to and including 2020.7)

Michelle, PortSwigger Agent | Last updated: Jul 21, 2020 09:07AM UTC

You can now also disable TLS 1.3 under Proxy -> Options -> Proxy Listener -> Edit -> TLS Protocols once Burp has been launched.

floyd | Last updated: Jul 28, 2020 04:22PM UTC

Just wanted to leave a "me too" here when it comes to intercepting traffic with Burp and iOS 13.3.1. For me the requests of iOS apps fail around 80% of the time. The iOS log basically says the network connection was lost: boringssl_context_handle_fatal_alert(1872) [C5.1:4][0x108f19120] write alert, level: fatal, description: decode error boringssl_context_error_print(1862) boringssl ctx 0x280874040: <private> boringssl_session_handshake_error_print(111) [C5.1:4][0x108f19120] 4586850840:error:10000066:SSL routines:OPENSSL_internal:BAD_ALERT:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-283.60.3/ssl/tls_record.cc:573: Task <e58b90a5-a899-4d4f-94a6-46bca06c03f1>.<1> HTTP load failed, 553/0 bytes (error code: -1005 [4:-4]) Task <e458a8ad-ba87-45b7-b865-2a34c525447b>.<1> finished with error [-1005] Error Domain=NSURLErrorDomain Code=-1005 UserInfo={_kCFStreamErrorCodeKey=-4, NSUnderlyingError=0x280540c30 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 UserInfo={NSErrorPeerAddressKey=<private>, _kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}}, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, NSLocalizedDescription=<private>, NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _kCFStreamErrorDomainKey=4} Task <e58b90a5-a899-4d4f-94a6-46bca06c03f1>.<1> finished with error [-1005] Error Domain=NSURLErrorDomain Code=-1005 UserInfo={NSUnderlyingError=0x280540c30 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 UserInfo={NSErrorPeerAddressKey=<private>, _kCFStreamErrorCodeKey=-4, _kCFStreamErrorDomainKey=4}}, NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _kCFStreamErrorDomainKey=4, _kCFStreamErrorCodeKey=-4, NSLocalizedDescription=<private>} Error -1005 is NSURLErrorNetworkConnectionLost. Of course this error is raised before the app gets the response so the app doesn't work properly. However, in Burp everything looks fine (HTTP request/response is visible) and the request went through, so the issue must be in the connection from Burp to iOS. I was on the latest version Burp 2020.7, which has the bug. Installing Burp 2020.2 worked around the issue as it works there. Disabling TLS 1.3 or similar was *not* necessary.

Michelle, PortSwigger Agent | Last updated: Jul 29, 2020 01:32PM UTC

TLS 1.3 was introduced in version 2020.4 so this could possibly match in with the fact this works for you in 2020.2. To check this and help us compare the behavior of the two versions in your environment if you have time, would you mind running a quick test with TLS 1.3 disabled in 2020.7 so it’s using the same settings as 2020.2? Could you tell us a bit more about what you’re seeing and the apps where you’ve seen this behavior when using 2020.7, please? If you’d rather share this information directly then feel free to email us (support@portswigger.net)

floyd | Last updated: Jul 30, 2020 11:57AM UTC

Hi Michelle, Disabling TLS 1.3 didn't work for me unfortunately. What I'm seeing is exactly what I wrote above, the mobile app will behave just like the connection was lost (in this case showing a pop-up that there was a technical issue). Basically an exception is raised although Unfortunately I can't disclose the app. So I looked into Wireshark and found the problem: Even when you disable TLS 1.3 in Project Options, even when you close Burp and reopen the project, Burp will still happily advertise TLS 1.3 as being supported. I can see the "Server Hello" from Burp, in the TLS extensions, in the supported_versions extension Burp says "Supported Version: TLS 1.3 (0x0304)". I could send you a screenshot, but I think that should be enough info. It's probably something about the weird design of TLS 1.3, where it is advertised as TLS 1.2 in the record layer version (0x0303) but you have to look into the supported_versions extension to see if it is TLS 1.2 or TLS 1.3. So it looks like Burp doesn't honor the GUI configuration of disabling TLS 1.3 I suspect Java screwed up the TLS 1.3 stack again just like in https://forum.portswigger.net/thread/polling-server-connection-fails-on-private-collaborator-instance-d27938bf . When do you change to bouncycastle?

Liam, PortSwigger Agent | Last updated: Aug 04, 2020 11:30AM UTC

Floyd, the Project Options setting controls outbound connections, you need to configure TLS used by the proxy. These settings are accessible via Proxy > Options > Proxy listeners > Add/Edit > TLS Protocols. This release (https://portswigger.net/burp/releases/professional-community-2-1-07?requestededition=professional) considerably improved Burp's SSL/TLS coverage.

Nik | Last updated: Aug 05, 2020 01:49PM UTC

Hi, I have the same issue on iOS mobile devices with burp v2020.7. Disabling TLS 1.3 does not helps. But when I replace default JRE(/opt/BurpSuiteCommunity/jre) - from v14(openjdk 14 2020-03-17) - to v12(openjdk 12.0.2 2019-07-16) everything start working fine.

Security | Last updated: Aug 19, 2020 09:05AM UTC

Hi Nik, I am getting this error if i try to run burp v2020.7 with openjdk 12.0.2. Can you specify how did you get past this error ? Thanks in advance. Error: A JNI error has occurred, please check your installation and try again Exception in thread "main" java.lang.UnsupportedClassVersionError: burp/StartBurp has been compiled by a more recent version of the Java Runtime (class file version 53.0), this version of the Java Runtime only recognizes class file versions up to 52.0 at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(Unknown Source) at java.security.SecureClassLoader.defineClass(Unknown Source) at java.net.URLClassLoader.defineClass(Unknown Source) at java.net.URLClassLoader.access$100(Unknown Source) at java.net.URLClassLoader$1.run(Unknown Source) at java.net.URLClassLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.launcher.LauncherHelper.checkAndLoadMain(Unknown Source)

Jason | Last updated: Sep 18, 2020 08:33PM UTC

Hi Burp team, I'm a newcomer with implementing iOS and Burp. At this point I'm absolutely lost as to how to get Burp to monitor iOS traffic. I followed the guide here (https://portswigger.net/support/configuring-an-ios-device-to-work-with-burp) and was able to successfully install and trust the certificate on my iOS device. I then opened up Safari and tried visiting a https page. However, Safari is telling me "This Connection Is Not Private." The Burp Event log reports "The client failed to negotiate a TLS connection to xzy.com: Remote host terminated the handshake". Here's my question. What's the official suggested guide here? It's frustrating to have paid for Burp when I'm unable to get this working. For some background info: - iOS iPad 14.0 - Burp PRO 2020.9.1 - Mac Mojave 10.14.6

Liam, PortSwigger Agent | Last updated: Sep 21, 2020 07:52AM UTC

We'll do some testing with iOS 14 and get back to you ASAP.

Uthman, PortSwigger Agent | Last updated: Sep 23, 2020 01:38PM UTC

Jason, have you tried disabling TLS1.3 on the Proxy Listener in Burp? (select a proxy listener > Edit > TLS Protocols > Use custom protocols > Disable TLS1.3 Can you send us further information via email, please? You can reach us on support@portswigger.net

You need to Log in to post a reply. Or register here, for free.