Burp Suite User Forum

Login to post

jruby SSLSocket error

Aaron | Last updated: Jan 25, 2017 08:42AM UTC

I'm currently developing the Dradis Framework Burp extension (https://github.com/dradis/burp-dradis/) and I'm encountering an error when the extension is trying to POST to the Dradis Pro server using HTTPS: ["org/jruby/ext/openssl/SSLSocket.java:215:in `connect'", "/Users/aaron/Downloads/jruby-complete-1.7.26.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:800:in `connect'", "org/jruby/ext/timeout/Timeout.java:98:in `timeout'", "/Users/aaron/Downloads/jruby-complete-1.7.26.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:800:in `connect'", "/Users/aaron/Downloads/jruby-complete-1.7.26.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:756:in `do_start'", "/Users/aaron/Downloads/jruby-complete-1.7.26.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:745:in `start'", "/Users/aaron/Downloads/jruby-complete-1.7.26.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:1293:in `request'", "<script>:483:in `create_dradis_issue'","<script>:561:in `send_to_dradis_menu_handler'", "<script>:105:in `createMenuItems'", "org/jruby/gen/InterfaceImpl550592149.gen:13:in `actionPerformed'"] But, when I run an external ruby script compiled with jruby (https://gist.github.com/aapomm/8f5206ac6f6a34af3a4a76a48f2ee98a), it POSTs successfully to the server. Any ideas? I'm using Burp Suite Free Edition 1.7.16 and jruby-complete-1.7.26.

Burp User | Last updated: Jan 25, 2017 08:56AM UTC

Btw, this is related to the SSL issues described here: https://support.portswigger.net/customer/portal/questions/16753904-let-s-encrypts-certificates Burp team, can you spot what are we missing in our extension code? As far as I can tell we're using the same code that in the Gist Aaron posted, with VERIFY_NONE and everything: https://github.com/dradis/burp-dradis/blob/master/burp-dradis.rb#L469 Which works when run directly through Java + JRuby, but now when run inside the Burp extension. We've banged our heads against this for a while and any pointers or clues would be really appreciated. -Daniel

PortSwigger Agent | Last updated: Jan 25, 2017 12:20PM UTC

I'm afraid my Ruby fu is weak and I don't really have any ideas after looking at your code. If you're making your own HTTP requests outside of the Burp API, then we wouldn't expect the presence of Burp to make a difference, but evidently it is. Would it be feasible to make your requests to the Dradis endpoint via the Burp API, so that Burp ensures that SSL trust is not enforced?

Burp User | Last updated: Feb 22, 2017 06:57AM UTC

The suggested solution of using the Burp API to make the request, as opposed to Ruby's Net::HTTP, worked! For reference, here's the relevant code: https://github.com/dradis/burp-dradis/blob/master/burp-dradis.rb#L395

You need to Log in to post a reply. Or register here, for free.