Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

BurpSuite Error: failed to negotiate an SSL connection

David | Last updated: Jan 09, 2016 11:15AM UTC

Hi, I've got a problem with Burp Suite Proxy v 1.6.30 and Android 5.1.1 Tablet. It works great with Windows 10 and installed java version 1.8.0_60-b27. But i have to set up a vm for a seminar with a linux os. I've tried Kali and Santoku but every time when proxing ssl traffic i get an error in alert tab: The client failed to negotiate an SSL connection to www.xyz.com:433: Received fatal alert: certificate unknown In some forums they wrote that it has to do with the installed java versions. I've tried java 6, 7 and 8. Same failure. Burp Root Certificate is installed on Android Device as User Trusted and works fine with my Windows 10 and BurpSuite v 1.6.30 Can someone help me or could explain what could be the problem? Thanks

PortSwigger Agent | Last updated: Jan 14, 2016 11:36AM UTC

Please verify that you have installed the Burp CA certificate correctly in your browser: https://support.portswigger.net/customer/en/portal/articles/1783075-Installing_Installing%20CA%20Certificate.html If you are still seeing problems, please can you describe your set-up, including client device/OS and Burp/Java version, and the exact error message you are seeing and where it appears. Thanks.

Burp User | Last updated: Feb 04, 2017 07:34PM UTC

I got same issue with burp 1.7.13 please help me

Burp User | Last updated: Jul 07, 2017 11:12AM UTC

same issue here i have burp 1.7.23 i installed the Burp CA on my android device Samsung s7 i saw the CA is really exist under Security > Certificates > user Certificates and i tried to use some apps like linkdin and facebook on my phone in burp i got ssl negotiation failed fatal error unknown ca

PortSwigger Agent | Last updated: Jul 07, 2017 11:12AM UTC

Are you able to browse to HTTPS websites through Burp? Many apps use certificate pinning. There are various tools to work around this, such as Android-SSL-TrustKiller. They don't work in all circumstances; the Facebook mobile app is particularly difficult to intercept.

Burp User | Last updated: Sep 15, 2017 03:13PM UTC

For Android 7+ devices I found this link about the security feature that does not allow apps to trust o certificate installed by user and how to fix including a XML and re compiling the APK file. https://serializethoughts.com/2016/09/10/905/ https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

PortSwigger Agent | Last updated: Sep 15, 2017 03:14PM UTC

Hi Renu, Is this an app or the browser? The app may be using certificate pinning, in which case you need to use a tool like Trust Killer to bypass that. What version of Android are you using? If it's Android 7, you need to follow these instructions: https://serializethoughts.com/2016/09/10/905/ Also, quite often these issues can be a result of installing the certificate incorrectly. It would be worth removing the certificate and installing it again, following the instructions precisely: - https://support.portswigger.net/customer/portal/articles/1841102-installing-burp-s-ca-certificate-in-an-android-device

Burp User | Last updated: Nov 16, 2017 07:50AM UTC

i'm also facing the same issue like .... client failed to negotiate an ssl connection burp : received fatal alert certificate_unknown please help me to rsolve this...ASAP i have installed CA certificate but same issue is repeting

Burp User | Last updated: May 16, 2018 05:12AM UTC

Hi Paul, thank you for your answer, this problem was faced in mobile app and present i was working with android version 7. last night i was face the same issue again with the android version 5.0 with the same application, and still i was not able to figure out the issue of this issue . "client failed to negotiate an ssl connection burp : received fatal alert certificate_unknown" Please help me paul

PortSwigger Agent | Last updated: May 16, 2018 08:21AM UTC

Hi Renu, Can you please confirm the steps you've already taken: 1) Have you installed the Burp CA and confirmed you can access https://portswigger.net/ going through Burp and without any certificate warnings? 2) Does this affect all apps or just some? 3) If it's just some, the app is likely using certificate pinning. Have you tried installing an app to disable this (on a rooted device) such as SSL Trust Killer?

Burp User | Last updated: May 21, 2018 05:54AM UTC

Hi Paul, sorry for the delay ... :-) 1) yes, i was installed the certificate but still i'm facing the same issue. 2) i was followed the procedure i.e portswigger site there was link on this installation of certificate on mobile 3) two weeks back i was done the same process and it was worked properly but now i'm facing this issue. 4) ceritificate pinning not enabled till now.i'm sure about this. Note : is there any alternate solution for this...? Question: please give me step by step process for android 7 version application interception with burp.

Liam, PortSwigger Agent | Last updated: May 21, 2018 09:57AM UTC

If you must use Android N+ then you will need to install a trusted CA at the Android OS level on a rooted device or emulator. We don't have any installation instructions. There is an answer on this stack overflow thread for Android N onwards: - https://stackoverflow.com/questions/4461360/how-to-install-trusted-ca-certificate-on-android-device

Burp User | Last updated: Oct 04, 2018 11:38AM UTC

Solution is simple: Download the lastest Burpsuite version from official website. I don't know why this solution works at every time when I faces with this problem, but yes. This is the solution.

Liam, PortSwigger Agent | Last updated: Oct 04, 2018 12:56PM UTC

Which version of Android are you using?

Burp User | Last updated: Dec 03, 2018 01:56PM UTC

hii, i am still facing the same issue. can anybody help me out

Burp User | Last updated: Dec 03, 2018 02:23PM UTC

Hii, I am using version 8.0.0. I am able to record traffic with browser opened on the mobile. But native application configured with ADFS is displaying the issue as "the client failed to negotiate an SSL connection to android.clients.google.com:443:received fatal alert:certificate_unknown".

Liam, PortSwigger Agent | Last updated: Dec 03, 2018 04:00PM UTC

The app may be using certificate pinning, in which case you need to use a tool like Trust Killer to bypass that. You could try following these instructions: https://serializethoughts.com/2016/09/10/905/

Burp User | Last updated: Feb 07, 2019 08:01AM UTC

Hi All, Please help me out, this is emergency, I'm getting the "The client failed to negotiate an ssl connection to https://xxxxx:44302: Received fatal alert:unknown_ca" i'm trying to intercept the traffic b/w application in Web browser. i configured the certificate properly but,i'm getting the same issue. please help me out. thanks Advance. by Ram

Liam, PortSwigger Agent | Last updated: Feb 07, 2019 10:30AM UTC

Ram, it sounds like the certificate hasn't installed correctly. Which browser are you using? Have you tried another browser? Have you tried removing and deleting cert, downloading a clean version and reinstalling?

Burp User | Last updated: Feb 07, 2019 11:20AM UTC

Thanks Liam, i'm using firefox and i tried in Chrome also, and multiple times i deleted the Cert and i installed. with out proxy i can able to reach app, with proxy i can't able. I downloaded fresh version .36.

Liam, PortSwigger Agent | Last updated: Feb 07, 2019 12:09PM UTC

When intercept is turned on, Burp Suite should be intercepting the request. The request should appear in the Proxy "Intercept" tab. Are you able to see the http request in this tab? We have two tutorial pages to help you use Burp Proxy within our Support Center, have you checked these out? - https://support.portswigger.net/customer/portal/articles/1783118-getting-started-with-burp-proxy - https://support.portswigger.net/customer/portal/articles/1783119-using-burp-proxy What happens when you visit https://portswigger.net?

Burp User | Last updated: Aug 12, 2019 02:15PM UTC

https://github.com/yochananmarqos/Move-Certificates Magisk Module to move User Certs to System.

Mike, PortSwigger Agent | Last updated: Aug 12, 2019 02:29PM UTC

Greg, what error message are you receiving when attempting to connect to the target application? Burp Suite allows you to configure Client SSL Certificates within Project/User Options > SSL which Burp Suite will provide when a destination host requests one, so if it's a certificate issue that's not between the browser and Burp then this could be what you're looking for?

Burp User | Last updated: Oct 29, 2019 10:27AM UTC

Why does everyone on this thread think the problem is with the browser. This is a BURP error message. Burp is the CLIENT. Burp is unable to negotiate with the remote server. Installing a certificate into the browser only solves problems between the browser and burp- not burp and the final destination. I have fixed this problem in the past when IIS servers have SNI enabled (which these days is by default). You need to make sure burp tries to connect to the remote host by NAME or else SNI (server name identification) will fail. Unfortunately I have done that and this is still not working.

Kushal | Last updated: Dec 08, 2020 07:42PM UTC

Hi, I've got a problem with Burp Suite Proxy v 1.6.30 and Android 5.1.1 Tablet. Hi, window 10 problem . The client failed to negotiate an SSL connection to www.xyz.com:433: Received fatal alert: certificate unknown In some forums they wrote that it has to do with the installed java versions. I've tried java 6, 7 and 8. Same failure. Burp Certificate i installed it also and BurpSuite Pro 1.7.31 Can someone help me or could explain what could be the problem? Thanks

Hannah, PortSwigger Agent | Last updated: Dec 09, 2020 04:12PM UTC

Hi Kushal Did you follow the guide on installing the CA certificate here: https://portswigger.net/support/installing-burp-suites-ca-certificate-in-an-android-device Or did you use a different method?

Nayana | Last updated: Apr 27, 2021 09:57AM UTC

Hello, I am trying to capture SSL traffic through genymotion emulator(V9 API 28) on burpsuite (2021.4.2), but I am getting this error constantly even after uninstalling and reinstalling CA certificate by the links posted above "The client failed to negotiate an SSL connection to www.abc.com:433: Received fatal alert: certificate unknown" I can see the http traffic with same connections and settings. Only https is the problem Please help at the earliest.

Hannah, PortSwigger Agent | Last updated: Apr 28, 2021 02:59PM UTC

Hi Could you tell me the version of Android that you are emulating? Have you tried disabling TLSv1.3 by going to "Proxy > Options > Proxy listeners > Edit > TLS protocols > Use custom protocols"? Additionally, you can try disabling HTTP/2 by going to "Project options > HTTP > HTTP/2".

Nayana | Last updated: May 04, 2021 07:06AM UTC

I followed the above mentioned steps and still I am not able to capture the SSL traffic. The emulator I am using is Genymotion Google Pixel 3a Android Version 10 API 29. The same error persists for only SSL traffic "The client failed to negotiate an SSL connection to www.abc.com:433: Received fatal alert: certificate unknown". Please help.

Hannah, PortSwigger Agent | Last updated: May 06, 2021 09:40AM UTC

Hi Do you get the same issue with https://portswigger.net or https://portswigger-labs.net (please bear in mind that portswigger-labs.net is a sandboxed domain, containing intentional vulnerabilities)? Could you drop us an email at support@portswigger.net with some screenshots of your installation and setup?

Miguel | Last updated: May 23, 2021 01:51PM UTC

Some tests I did to try and debug the problem: - Happens in Burp 2x, 1.7, and ZAP - Running Java 15 - Only happens on Android (iOS is fine) - Happens both in browser and apps (on desktop works fine) - Happens both in Emulator and physical device - Not using TLS 1.3 - Works for some hosts but not others (e.g. PayPal and Google seems to work) - MacOS Big Sur 11.2.3

Hannah, PortSwigger Agent | Last updated: May 25, 2021 02:59PM UTC

Hi Miguel Did you use different versions of Android or just one version?

mmad | Last updated: Nov 22, 2021 02:01PM UTC

I was looking for solution for a long time finally found it at: https://github.com/itsMoji/Instagram_SSL_Pinning/issues/30 hope this works.

Hacker | Last updated: Feb 10, 2023 07:53AM UTC

If you are connected burpsuite with localhost/proxy Firstly Go to Firefox browser Type in URL ""http://burp/" --> then Enter --> Download Certificate --> Open Settings --> search Certificate --> go to View Certificate --> click on Import --> Select downloaded file (xxx.der) file --> back to Settings --> search Proxy --> set to Manual Proxy --> IP is 127.0.0.1 & Port 8080 --> Check the box Allow use this proxy for HTTPS --> click on Enter --> Go to any website --> Done (if website not opening go to proxy settings change port 8081) and change port in burpsuite also (Go to Proxy > Options > Edit proxy listeners > change port to 8081 > click OK (Done)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.