Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

The client failed to negotiate a TLS connection to [domain]: Remote host terminated the handshake

jesorad | Last updated: Feb 26, 2023 12:37AM UTC

Hello! I encountered a problem when testing a mobile application on Android. Cannot capture traffic of the mobile app, the log shows an error "The client failed to negotiate a TLS connection to [domain]: Remote host terminated the handshake". Tried disabling/disabling all protocols and ciphers support - didn't help. Tried creating my own certificate, loading it into Burp Suite and onto my mobile device - didn't help. Software versions: Burp Suite Community 2023.1.2. java 18.0.2 OS: Windows Mobile device with root rights, certificate installed as a system certificate. Can you please tell me how to solve this problem?

Ben, PortSwigger Agent | Last updated: Feb 27, 2023 09:48AM UTC

Hi, To clarify, are you able to successfully proxy HTTP and HTTPS browser based traffic using the setup that you have and it is only mobile app traffic that you are having issues with? In addition to the above, are you experiencing this issue with a single mobile app?

jesorad | Last updated: Mar 01, 2023 04:31AM UTC

Hello! Yes, from the browser I can successfully see the domain traffic as HTTP and HTTPS in Burp Suite. But when the mobile app tries to communicate with the domain, an error appears. I observe this problem with only one mobile app.

Ben, PortSwigger Agent | Last updated: Mar 01, 2023 10:01AM UTC

Hi, Is it possible that this particular app is using certificate pinning and is expecting a specific certification to be used?

jesorad | Last updated: Mar 02, 2023 06:56AM UTC

Hello! Not excluded. Is there any way around it? Also, are there any other options as to why this error occurs?

Ben, PortSwigger Agent | Last updated: Mar 02, 2023 05:03PM UTC

Hi If certificate pinning is in place then there is not an easy way to bypass it - the following does talk through a couple of approaches you could use: https://www.netspi.com/blog/technical/mobile-application-penetration-testing/four-ways-bypass-android-ssl-verification-certificate-pinning/

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.