iOS 13 + Burp SSL Certs Not Able to be Fully Trusted
I've followed the appropriate steps to fully trust the burp cert, but as of iOS 13 this does not work and HTTPS requests fail. Looking at iOS 13 release notes, I found this: https://support.apple.com/en-us/HT210176 -- I suspect this is related, though I have not had time yet to inspect the certs being generated by Burp to confirm one or more of these new restrictions are being violated. Can anyone 1) confirm this is an issue with iOS 13+ and 2) is there any workaround to this or timeline for addressing in Burp default functionality?
we facing the same issue with the certificates installed and created by Burp.
See IOS changes (https://support.apple.com/en-us/HT210176)´.
Is there a way to register own certificates, or is the already a fix / update available?
We have tested an iOS device that is running version 13.1.2 and we were able to successfully proxy HTTPS traffic through Burp Suite proxy instance running on my computer after installing the certificate and manually configuring my proxy settings.
I’m assuming you have seen our guides on configuring your iOS device to work with Burp Suite?
Additionally, we’ve upgraded to iOS 13.1.3 and not been able to reproduce this issue.
Did this issue affect all applications?
Are you encountering an error message in Burp’s Event log?
- works in iOS 12.4
- does not work in iOS 13.1.2
Cert is installed, marked as verified, and then authorised in the Trust Store config.
iOS Safari just fails.
iOS Chrome hints with ERR_CERT_WEAK_KEY, you can make an exemption and proceed.
This is probably happening because the Portswigger cert is 1024 bits, which should be considered "a functional bug" since some clients will refuse it in any case.
Not sure if Burp allows to select 2048 bits when regenerating.
"Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS."
Would it be possible in the next version to force Burp to generate 2,048-bit certificates by default?
Thanks for these reports. We’ve flagged this issue for investigation. We’ll update this thread when we have something to share.
The Burp CA is 2048 bits and i am running the latest burp on mac os Mojave.
I was able to capture https data from websites, such as, twitter.com, facebook.com.
But was unable to capture any data to apple.com
Hope this information could help to find out the problem.
Thank you for that information. We have been able to successfully reproduce the behaviour you are experiencing on iOS 13.2.3.
We were unable to receive any data from apple.com in Safari, but Google Chrome functioned after dismissing a warning, so this could be a potential workaround for the time being.
We have created a request for our development team to investigate, and will notify this thread once we have more information.