Burp Suite User Forum

Login to post

TLS Problems

Ivan | Last updated: Dec 30, 2019 04:22AM UTC

I get on 90% hosts the ssl error for handshake: java.net.ssl.SSLException: Received fatal alert: hanshake_failure. I'm using burp with embedded JRE and SNI extensions disabled. I've also tried to remove TLS 1.3 in list because the host maybe doesn't support it but no luck. I have latest version of Burp Suite Professional 2.1.07, any advice? Is this a bug? Let me know because I need to proceed with my testings and my work at the moment is blocked. Cheers

Liam, PortSwigger Agent | Last updated: Dec 30, 2019 01:29PM UTC

Ivan, is the site you are working on publicly accessible? If so, could you email the details to support@portswigger.net. Alternatively, could you provide screenshots of the error messages?

Burp User | Last updated: Dec 30, 2019 10:13PM UTC

Hi, actually during test i've seen that with java 8 the problem doesn't appear. Any ideas why? I also suggest to use BouncyCastle library as they have much more support for SSL and minor problems.

Hannah, PortSwigger Agent | Last updated: Jan 02, 2020 11:05AM UTC

Glad to hear you resolved your issue by using a different Java version. In version 2.1.07, we have improved our SSL/TLS coverage (http://releases.portswigger.net/). This was done by using the BouncyCastle library.

Burp User | Last updated: Jan 02, 2020 04:40PM UTC

Yeah, but no luck for other hosts! That's strange by the way, because with owasp zap i have no problem connecting. Maybe i've setupped something bad? Any ideas? Except for SNI disabled and accept invalid SSL certificates (in project options->tls). Maybe this could be a problem of website's certificate? Thanks for support!

Ben, PortSwigger Agent | Last updated: Jan 03, 2020 08:17AM UTC

Hi Ivan, Are you able to disclose which sites you are having issues with and are they publicly available so that we can investigate further? If you would prefer to send us an email with this information then please feel free (you can send this to support@portswigger.net).

You need to Log in to post a reply. Or register here, for free.