Burp Suite User Forum

iOS 13 + Burp SSL Certs Not Able to be Fully Trusted

Dan | Last updated: Oct 27, 2019 05:11PM UTC

I've followed the appropriate steps to fully trust the burp cert, but as of iOS 13 this does not work and HTTPS requests fail. Looking at iOS 13 release notes, I found this: https://support.apple.com/en-us/HT210176 -- I suspect this is related, though I have not had time yet to inspect the certs being generated by Burp to confirm one or more of these new restrictions are being violated. Can anyone 1) confirm this is an issue with iOS 13+ and 2) is there any workaround to this or timeline for addressing in Burp default functionality?

Burp User | Last updated: Oct 28, 2019 08:47AM UTC

Hello, we facing the same issue with the certificates installed and created by Burp. See IOS changes (https://support.apple.com/en-us/HT210176)´. Is there a way to register own certificates, or is the already a fix / update available?

Liam, PortSwigger Agent | Last updated: Oct 28, 2019 09:06AM UTC

We have tested an iOS device that is running version 13.1.2 and we were able to successfully proxy HTTPS traffic through Burp Suite proxy instance running on my computer after installing the certificate and manually configuring my proxy settings. I'm assuming you have seen our guides on configuring your iOS device to work with Burp Suite? https://support.portswigger.net/customer/portal/articles/1841108—Mobile%20Set-up_iOS%20Device.html https://support.portswigger.net/customer/portal/articles/1841109-Mobile%20Set-up_iOS%20Device%20-%20Installing%20CA%20Certificate.html

Liam, PortSwigger Agent | Last updated: Oct 28, 2019 09:12AM UTC

Additionally, we've upgraded to iOS 13.1.3 and not been able to reproduce this issue.

Liam, PortSwigger Agent | Last updated: Oct 28, 2019 09:21AM UTC

Did this issue affect all applications? Are you encountering an error message in Burp's Event log?

Burp User | Last updated: Nov 01, 2019 09:25AM UTC

After I upgraded to 13.2, I encountered a situation where I chose the certificate trust and could not capture https. What should I do?

Burp User | Last updated: Nov 14, 2019 01:39PM UTC

Same problem, in my case: - works in iOS 12.4 - does not work in iOS 13.1.2 Cert is installed, marked as verified, and then authorised in the Trust Store config. iOS Safari just fails. iOS Chrome hints with ERR_CERT_WEAK_KEY, you can make an exemption and proceed. This is probably happening because the Portswigger cert is 1024 bits, which should be considered "a functional bug" since some clients will refuse it in any case. Not sure if Burp allows to select 2048 bits when regenerating.

Burp User | Last updated: Nov 15, 2019 08:48AM UTC

I can confirm this error can be reproduced in iOS 13.2.2 due to the 1,024-bit RSA key size of the digital certificates generated by Burp: - https://support.apple.com/en-us/HT210176: "Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS." Would it be possible in the next version to force Burp to generate 2,048-bit certificates by default? Thanks, Raul

Liam, PortSwigger Agent | Last updated: Nov 15, 2019 11:46AM UTC

Thanks for these reports. We've flagged this issue for investigation. We'll update this thread when we have something to share.

Burp User | Last updated: Nov 15, 2019 03:17PM UTC

I have iOS 13.2.2 running on iphone X. The Burp CA is 2048 bits and i am running the latest burp on mac os Mojave. I was able to capture https data from websites, such as, twitter.com, facebook.com. But was unable to capture any data to apple.com Hope this information could help to find out the problem.

Hannah, PortSwigger Agent | Last updated: Nov 19, 2019 09:13AM UTC

Thank you for that information. We have been able to successfully reproduce the behaviour you are experiencing on iOS 13.2.3. We were unable to receive any data from apple.com in Safari, but Google Chrome functioned after dismissing a warning, so this could be a potential workaround for the time being. We have created a request for our development team to investigate, and will notify this thread once we have more information.

Ben, PortSwigger Agent | Last updated: Nov 25, 2019 02:18PM UTC

Hi, This is still under investigation by the development team. As noted, we will notify this thread when we have some further information.

Burp User | Last updated: Jan 12, 2020 09:48PM UTC

Any update of this?

Burp User | Last updated: Jan 16, 2020 08:23PM UTC

I have not been able to make it work on Google Chrome. The site doesn't load

Ben, PortSwigger Agent | Last updated: Jan 17, 2020 11:12AM UTC

Thank you for the further information. We are glad that you were able to resolve your issue.

Burp User | Last updated: Jan 24, 2020 04:16PM UTC

Having a 4096 bits key did not work for me. Here are the details : # Generate private key openssl genrsa -aes256 -out myBurpCA.key 4096 # Generate Certificate openssl req -new -x509 -days 3650 -key myBurpCA.key -out root-ca.crt -subj "/C=CA/O=Burp/OU=Certification Services/CN=MyBURPRootCA/" #Export to pkcs12 format for import into burp openssl pkcs12 -export -out BurpRootCA.pfx -inkey myBurpCA.key -in root-ca.crt

Burp User | Last updated: Jan 24, 2020 04:45PM UTC

With a 365 days root CA, it is now working. The document referred above, helped : https://support.apple.com/en-us/HT210176

Burp User | Last updated: Jan 28, 2020 07:26PM UTC

Ben Wright worked for you, can you intercept https in iOS 13?

Burp User | Last updated: Jan 28, 2020 07:27PM UTC

te funciono?, Ben Wright , puedes interceptar https en IOS 13?

Ben, PortSwigger Agent | Last updated: Jan 29, 2020 08:18AM UTC

Hi Jose, We are currently working on fixing this issue and will update this thread when we have some more news. In the meantime, perhaps you could check out Guillaume's solution and see if that works for you?

Ben, PortSwigger Agent | Last updated: Feb 06, 2020 09:26AM UTC

Hi, We have released an update (Burp Professional Version 2020.1) that incorporates your feedback and should now have resolved the iOS certificate issue. Please feel free to update and provide us with any new feedback to help improve the product further.

Thomas | Last updated: Apr 28, 2020 11:31PM UTC

Hi, What about the Community version? I have tried yesterday and I was not able to get it to work.

Liam, PortSwigger Agent | Last updated: Apr 29, 2020 01:03PM UTC

Thomas, are you encountering an error message?

Thomas | Last updated: Apr 29, 2020 10:17PM UTC

I do all the usual steps: 1. go to http://burp 2. download cert 3. install profile 4. active it in settings -> about ... And I still get "The client failed to negotiate a TLS connection" ... I removed the old profile and added a new one when I updated to the latest version. But no change.

Huite | Last updated: Apr 30, 2020 09:34AM UTC

I can't visit the appstore anymore or use testflight with the proxy enabled. BS: v2020.4 iOS:13.4.1 Most seen errors in the dashboard: The client failed to negotiate a TLS connection to *: Remote hoste terminated the handshake. CA is in place and this has worked before on this phone with Burpsuite 2020.2 and older iOS version. Some sites are able to load with SSL but 90% seem to fail with the latest iOS and burpsuite.

Liam, PortSwigger Agent | Last updated: May 01, 2020 06:55AM UTC

Thomas, which version of Burp are you using? Are you using the platform installer version? Is the site you are trying to access publicly accessible?

Liam, PortSwigger Agent | Last updated: May 01, 2020 07:01AM UTC

Huite, for iOS 13.4.1 you may need to generate a CA cert issued before July 1, 2019, else it’s rejected due to missing ExtendedKeyUsage and 10-year validity, see https://support.apple.com/en-us/HT210176.

Adam | Last updated: May 04, 2020 10:44PM UTC

I have iOS 13.4.1 and and I can access the web site but not secure. So it is not working as it used to. Working fine on iOS 12 I did upgrade to v2020.4, may be that's why?

Adam | Last updated: May 04, 2020 10:48PM UTC

The PortSwigger CA I have on the device has: Not Valid Before: 4/5/14, 3:42:10 pm Not Valid After: 4/5/30, 3:42:10 pm Do I still need to follow what is in the below link: https://support.apple.com/en-us/HT210176?

Adam | Last updated: May 04, 2020 11:02PM UTC

Update: I reverted back to burp v2020.2 and all working fine now. definitely there is something off in the new release of burp v2020.4

Thomas | Last updated: May 05, 2020 04:20PM UTC

> Thomas, which version of Burp are you using? Community Edition v2020.4 > Are you using the platform installer version? Yes. MacOs > Is the site you are trying to access publicly accessible? Yes. google.com --------------- Adam, thanks for the heads up. Will try to revert to v2020.2

Thomas | Last updated: May 05, 2020 04:26PM UTC

I tried v2020.2 and still doesn't work.

Nik | Last updated: May 05, 2020 07:08PM UTC

Got this working for me also. The workaround I used was to roll back to 2020.2. You can probably get this working with 2020.4 if you generate a CA certificate that meets the iOS 13 requirements (https://support.apple.com/en-gb/HT210176) and load it into burp. This was a real pain to debug because of caching and super inconsistent behaviour.

Thomas | Last updated: May 05, 2020 10:30PM UTC

Nik, that means you didn't use the CA certificate that Burp provides automatically, correct?

Liam, PortSwigger Agent | Last updated: May 06, 2020 08:33AM UTC

We're still in the process of trying to reproduce this issue. We'll update this thread when we have made some progress.

Liam, PortSwigger Agent | Last updated: May 06, 2020 12:50PM UTC

We have found that Safari doesn’t work well with TLS1.3 with Java 13. We recommend using Java 14 to run burp or disable TLS1.3. The latter needs you to start burp with java -Djdk.tls.server.protocols=TLSv1,TLSv1.1,TLSv1.2 -jar burp_pro.jar There may still be issues with the certificates we generate, but on macOS, everything is good if you disable TLS1.3. We need to do more testing on iOS.

Thomas | Last updated: May 07, 2020 01:54AM UTC

Thanks Liam. I did update the java from java version "1.8.0_131" Java(TM) SE Runtime Environment (build 1.8.0_131-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode) to java version "14.0.1" 2020-04-14 Java(TM) SE Runtime Environment (build 14.0.1+7) Java HotSpot(TM) 64-Bit Server VM (build 14.0.1+7, mixed mode, sharing) Some things improved. For one now safari is actually saying the certificate is not valid. I did download v2020.2.1 community version and redid the cert, but no change.

Thomas | Last updated: May 07, 2020 01:54AM UTC

Thanks Liam. I did update the java from java version "1.8.0_131" Java(TM) SE Runtime Environment (build 1.8.0_131-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode) to java version "14.0.1" 2020-04-14 Java(TM) SE Runtime Environment (build 14.0.1+7) Java HotSpot(TM) 64-Bit Server VM (build 14.0.1+7, mixed mode, sharing) Some things improved. For one now safari is actually saying the certificate is not valid. I did download v2020.2.1 community version and redid the cert, but no change.

Liam, PortSwigger Agent | Last updated: May 07, 2020 06:58AM UTC

Thanks for the update, Thomas. Which version of macOS are you currently using? At what point did you encounter the initial issue? Did this work previously?

Thomas | Last updated: May 07, 2020 03:34PM UTC

Mac version ProductName: Mac OS X ProductVersion: 10.14.6 BuildVersion: 18G4032 It definitely worked a while ago. I haven't done much iOS debugging so don't know when it stopped working, but I have not upgraded my OS, although I do install security patches.

Liam, PortSwigger Agent | Last updated: May 11, 2020 04:43PM UTC

Thomas, I have a test machine set up with the same macOS. Could you describe your exact steps to reproduce the issue currently?

Thomas | Last updated: May 11, 2020 08:26PM UTC

Laim, There is not much to it. I installed the burp from your package installer you have on your site. I also installed separately java se v14. I turn burp on, turn on proxy, connect my iOS device to it. I go to http://burp. Download the CA certificate. I install the profile and then go to about to turn it on as a root certificate for the whole device. Then I go to https://google.com and I get TLS violation

Liam, PortSwigger Agent | Last updated: May 12, 2020 03:38PM UTC

Thomas, is the issue the same across a variety of browsers? Firefox, Chrome, Safari?

Thomas | Last updated: May 19, 2020 10:55PM UTC

I only use safari on iOS. But any app reports the same, so it's generally not working for anything else either.

Liam, PortSwigger Agent | Last updated: May 21, 2020 11:12AM UTC

would it be possible to try using another browser on your iOS device?

Thomas | Last updated: May 25, 2020 02:35AM UTC

Sure but it doesn't make sense that it would work considering that no other app is working either. I do need to be able to capture the other apps traffic.

Liam, PortSwigger Agent | Last updated: May 25, 2020 10:06AM UTC

Fair point Thomas, does Burp Suite 2020.2 operate as a workaround?

Nick | Last updated: May 27, 2020 04:15PM UTC

I've run into this same problem. Burp Suite Pro 2020.4.1. I have previously done lots of iOS proxying via Burp with a previous iOS version (I think it was 13.3.1) and previous versions of Burp. I tried to fire up the proxy again today after not touching it for awhile. In the meantime, I had upgraded from 2020.2 Community Edition and I'm now on iOS 13.5. It's jailbroken with checkra1n, though that shouldn't make a difference. I can successfully install the Burp CA on the device. When I go to any https site, though, I get "This Connection is Not Private" in Safari. Chrome and Firefox have the same problem, along with every other app. http sites work fine, of course. I often get requests and responses listed in the HTTP history in Burp, but the apps balk. When I tried to roll back to 2020.2 Pro, visiting http://burpsuite on the device results in this Burp error page: "Error: Unknown host: burpsuite". So I can't even download the CA cert. This worked previously, so I don't know what's wrong now. I don't have an upstream proxy. Clearly, Burp is in place or I wouldn't get the Burp error. My Java version hasn't changed: openjdk version "11.0.6" 2020-01-14 OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.6+10) OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.6+10, mixed mode) Gotta be honest, this is super frustrating. I don't want to be fighting with my tools. At least I found this thread, thanks Liam for being so active here. I hope we can identify a workaround swiftly. I'll let you know if I discover anything else.

Nick | Last updated: May 27, 2020 04:21PM UTC

The "unknown host" error was because I was using http://burpsuite and not http://burp. When I use the latter, I successfully downloaded and installed the CA cert again with 2020.2. But that doesn't fix the problem, I'm still getting "This Connection is Not Private" or an equivalent error in all browsers.

Nick | Last updated: May 27, 2020 04:22PM UTC

Oh, and I'm on Mac OS 10.14.6 as well.

Nick | Last updated: May 27, 2020 04:50PM UTC

I tried following the steps above to generate my own 365-day certificate as above: $ openssl genrsa -aes256 -out myBurpCA.key 4096 $ openssl req -new -x509 -days 365 -key myBurpCA.key -out root-ca.crt -subj "/C=CA/O=Burp/OU=Certification Services/CN=MyBURPRootCA/" $ openssl pkcs12 -export -out BurpRootCA.pfx -inkey myBurpCA.key -in root-ca.crt I set a password of my own choosing on the .key file, and then reused it when creating the .pfx file. When I go to import this file into Burp on 2020.2, I ran into the IllegalArgumentException error described here: https://forum.portswigger.net/thread/error-importing-custom-ca-41d4d26520 When I upgraded again to 2020.4.1, I was able to successfully import the custom certificate into Burp. But although the Burp landing page shows when I visit http://burp, I'm not seeing any Proxy traffic at all in HTTP history. And the certificate doesn't even work: I'm getting the same "This Connection Is Not Private" error. So it looks like this workaround is a bust for me.

Marcus | Last updated: May 28, 2020 05:50PM UTC

I have tried to capture SSL traffic on a new iPhone SE on 13.5 and it wasn't possible either.

Nick | Last updated: May 31, 2020 03:41PM UTC

What's happened to Ben and Liam?

Baris | Last updated: May 31, 2020 07:53PM UTC

I faced same problem with ios 13.5 and macos 10.15.4. I use burpsuite community edition 2020.4.1 and Java version is 1.8

Liam, PortSwigger Agent | Last updated: Jun 01, 2020 01:12PM UTC

We're still investigating this issue. We'll update this thread when we have something to share.

Bertrand | Last updated: Jun 02, 2020 09:26PM UTC

Same issue with iOS13, PortSwuigger CA isn't fully trusted.

You need to Log in to post a reply. Or register here, for free.