Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Not able to intercept one application using https

kund | Last updated: Jun 04, 2018 11:37AM UTC

Dear Team, I am not able to intercept one application which is using https(Please note : Burp works perfectly fine with other HTTP's application) Getting below errors is burp's error logs:- - Attempting to auto select ssl parameters for XXXXX application - Failed to autoselect ssl parameters for the same. - You have limited key lengths avaiable. To use stronger keys please download and install the JCE unlimited strength jurisdiction policy files from Oracle. - Javax.net.ssl.SSLException remote host closed during handshake. - Remote host closed connection during handshake Requesting your help to resolve the issue. Regards

PortSwigger Agent | Last updated: Jun 04, 2018 12:58PM UTC

Hi Kund, Thanks for getting in touch. A few SSL stacks have minor compatibility issues with the Java SSL stack that Burp uses. In the SSL options (Project options > Connections > SSL) try enabling "Disable SSL session resume" - this works around some issues. Also, if you choose "Use custom protocols and ciphers" sometimes trying a few different combinations - such as disabling TLSv1.2 - can make this start working. Is the app Internet-facing? If you can share the URL (perhaps by email to support@portswigger.net) we can have a look ourselves. You could also try connecting with Zap. That uses Bouncy Castle for SSL instead of the built-in Java libraries. Let us know how you get on.

Burp User | Last updated: Jun 07, 2018 05:18AM UTC

Dear Paul, Thanks for quick reply. Did the changes suggested by you but issue still remain unsresloved. As the web application is not intranet facing will not be able to share the link. Kindly note that only burpsuite is allowed in our environment. Thanks

PortSwigger Agent | Last updated: Jun 07, 2018 06:39AM UTC

Hi Kund, All I can suggest is to keep trying different combinations of protocols and ciphers. While doing this, disable "Automatically select compatible SLL parameters on negotiation failure". At first, leave the ciphers as default, and try only enabling TLSv1.2 then TLSv1.1 and work your way through the protocols. Try each one with "Disable SSL session resume" both on and off. After that you could try enabling some ciphers. The administrator of the application you're testing may be able to give some guidance. If that doesn't work, unfortunately, this application is not compatible with Burp and you'll need to use some other software. Please let us know if you need any further assistance.

Burp User | Last updated: Jul 26, 2019 12:02PM UTC

hi This side amit sharma , i am getting issue for the same https url can possible to intercept or not , if it is possible lets share with me a small sample so i can identify that issue and difference , Accentual right now Android application is working with Retrofit and okhttp .

Liam, PortSwigger Agent | Last updated: Jul 29, 2019 07:26AM UTC

Have you installed the Burp CA Certificate in your browser? - https://support.portswigger.net/customer/portal/articles/1783075-installing-burp-s-ca-certificate-in-your-browser This should fix any HSTS errors.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.