Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

iOS 13 + Burp SSL Certs Not Able to be Fully Trusted

Dan Oct 27, 2019 05:11PM UTC

I've followed the appropriate steps to fully trust the burp cert, but as of iOS 13 this does not work and HTTPS requests fail. Looking at iOS 13 release notes, I found this: https://support.apple.com/en-us/HT210176 -- I suspect this is related, though I have not had time yet to inspect the certs being generated by Burp to confirm one or more of these new restrictions are being violated. Can anyone 1) confirm this is an issue with iOS 13+ and 2) is there any workaround to this or timeline for addressing in Burp default functionality?


Carsten Müller Oct 28, 2019 08:47AM UTC
Hello,

we facing the same issue with the certificates installed and created by Burp.
See IOS changes (https://support.apple.com/en-us/HT210176)´.

Is there a way to register own certificates, or is the already a fix / update available?


Liam Tai-Hogan Oct 28, 2019 09:08AM UTC Support Center agent

We have tested an iOS device that is running version 13.1.2 and we were able to successfully proxy HTTPS traffic through Burp Suite proxy instance running on my computer after installing the certificate and manually configuring my proxy settings.

I’m assuming you have seen our guides on configuring your iOS device to work with Burp Suite?

https://support.portswigger.net/customer/portal/articles/1841108—Mobile%20Set-up_iOS%20Device.html
https://support.portswigger.net/customer/portal/articles/1841109-Mobile%20Set-up_iOS%20Device%20-%20Installing%20CA%20Certificate.html


Liam Tai-Hogan Oct 28, 2019 09:14AM UTC Support Center agent

Additionally, we’ve upgraded to iOS 13.1.3 and not been able to reproduce this issue.


a troubles Nov 01, 2019 09:25AM UTC
After I upgraded to 13.2, I encountered a situation where I chose the certificate trust and could not capture https. What should I do?

Liam Tai-Hogan Nov 01, 2019 11:55AM UTC Support Center agent

Did this issue affect all applications?

Are you encountering an error message in Burp’s Event log?


j Nov 14, 2019 01:39PM UTC
Same problem, in my case:
- works in iOS 12.4
- does not work in iOS 13.1.2

Cert is installed, marked as verified, and then authorised in the Trust Store config.

iOS Safari just fails.
iOS Chrome hints with ERR_CERT_WEAK_KEY, you can make an exemption and proceed.

This is probably happening because the Portswigger cert is 1024 bits, which should be considered "a functional bug" since some clients will refuse it in any case.

Not sure if Burp allows to select 2048 bits when regenerating.

Raul Siles Nov 15, 2019 08:48AM UTC
I can confirm this error can be reproduced in iOS 13.2.2 due to the 1,024-bit RSA key size of the digital certificates generated by Burp:

- https://support.apple.com/en-us/HT210176:
"Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS."

Would it be possible in the next version to force Burp to generate 2,048-bit certificates by default?

Thanks,
Raul

Liam Tai-Hogan Nov 15, 2019 03:14PM UTC Support Center agent

Thanks for these reports. We’ve flagged this issue for investigation. We’ll update this thread when we have something to share.


Wanpeng Nov 15, 2019 03:17PM UTC
I have iOS 13.2.2 running on iphone X.
The Burp CA is 2048 bits and i am running the latest burp on mac os Mojave.

I was able to capture https data from websites, such as, twitter.com, facebook.com.
But was unable to capture any data to apple.com

Hope this information could help to find out the problem.

Hannah Law Nov 22, 2019 11:18AM UTC Support Center agent

Thank you for that information. We have been able to successfully reproduce the behaviour you are experiencing on iOS 13.2.3.

We were unable to receive any data from apple.com in Safari, but Google Chrome functioned after dismissing a warning, so this could be a potential workaround for the time being.

We have created a request for our development team to investigate, and will notify this thread once we have more information.


Post Your public answer

Your name
Your email address
Answer