Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Let's Encrypts certificates

Nell | Last updated: Nov 29, 2016 11:16AM UTC

Burp appears to mark certs issued by Let's Encrypt as untrusted. Because of this, some plugins, like the relatively recent Dradis Framework plugin will fail.

PortSwigger Agent | Last updated: Nov 29, 2016 01:18PM UTC

In terms of Burp Scanner, this relies on the underlying Java trust store to validate SSL certificates and report whether they are trusted. In its own normal outgoing HTTPS connections, Burp doesn't enforce SSL trust so can connect to HTTPS services regardless of the certificate they use. If the Dradis plugin in particular is having problems with the certificate, this might be because it is making HTTPS connections of its own in a way that enforces SSL trust. We will make the Dradis developers aware of this report. The underlying Java trust store includes a number of root CA certificates, but not all the ones that are included in modern browsers. You might be able to add a root CA certificate to the Java trust store to make Java trust it. This might resolve the issues you are seeing.

Burp User | Last updated: Nov 29, 2016 01:29PM UTC

Hi there, Dradis extender author here. We're using Ruby for the extension, and relying on the JRuby interpreter for managing the SSL connection. What version of the extension are you using? In the latest there is a check box that allows you to bypass the default SSL validation: https://github.com/dradis/burp-dradis/blob/master/burp-dradis.rb#L469 Hope this helps, Daniel

Burp User | Last updated: Nov 29, 2016 03:45PM UTC

Hi Dainel, Thanks for your answer. I believe I am running the latest version, as I have just installed the plugin today for the first time. Version information according to Burp is v0.0.2, which seems to be the same as the version you pointed to on git. There's not too much additional information except for the note in Alerts tab, which is as follows: "Dradis Framework: There was an error connecting to Dradis: certificate verify failed."

Burp User | Last updated: Nov 29, 2016 04:51PM UTC