Burp Suite User Forum

Login to post

Let's Encrypts certificates

Nell | Last updated: Nov 29, 2016 11:16AM UTC

Burp appears to mark certs issued by Let's Encrypt as untrusted. Because of this, some plugins, like the relatively recent Dradis Framework plugin will fail.

PortSwigger Agent | Last updated: Nov 29, 2016 01:18PM UTC

In terms of Burp Scanner, this relies on the underlying Java trust store to validate SSL certificates and report whether they are trusted. In its own normal outgoing HTTPS connections, Burp doesn't enforce SSL trust so can connect to HTTPS services regardless of the certificate they use. If the Dradis plugin in particular is having problems with the certificate, this might be because it is making HTTPS connections of its own in a way that enforces SSL trust. We will make the Dradis developers aware of this report. The underlying Java trust store includes a number of root CA certificates, but not all the ones that are included in modern browsers. You might be able to add a root CA certificate to the Java trust store to make Java trust it. This might resolve the issues you are seeing.

Burp User | Last updated: Nov 29, 2016 01:29PM UTC

Hi there, Dradis extender author here. We're using Ruby for the extension, and relying on the JRuby interpreter for managing the SSL connection. What version of the extension are you using? In the latest there is a check box that allows you to bypass the default SSL validation: https://github.com/dradis/burp-dradis/blob/master/burp-dradis.rb#L469 Hope this helps, Daniel

Burp User | Last updated: Nov 29, 2016 03:45PM UTC

Hi Dainel, Thanks for your answer. I believe I am running the latest version, as I have just installed the plugin today for the first time. Version information according to Burp is v0.0.2, which seems to be the same as the version you pointed to on git. There's not too much additional information except for the note in Alerts tab, which is as follows: "Dradis Framework: There was an error connecting to Dradis: certificate verify failed."

Burp User | Last updated: Nov 29, 2016 04:51PM UTC

Hi Nell, And do you have the "Ignore SSL certificate errors" checkbox ticked in the config tab? http://discuss.dradisframework.org/t/burp-extension-released-send-to-dradis/383/3 HTH, Daniel

You need to Log in to post a reply. Or register here, for free.