Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Let's Encrypts certificates

Nell Gwinn Nov 29, 2016 11:16AM UTC

Burp appears to mark certs issued by Let's Encrypt as untrusted. Because of this, some plugins, like the relatively recent Dradis Framework plugin will fail.


Dafydd Stuttard Nov 29, 2016 01:23PM UTC Support Center agent

In terms of Burp Scanner, this relies on the underlying Java trust store to validate SSL certificates and report whether they are trusted.

In its own normal outgoing HTTPS connections, Burp doesn’t enforce SSL trust so can connect to HTTPS services regardless of the certificate they use.

If the Dradis plugin in particular is having problems with the certificate, this might be because it is making HTTPS connections of its own in a way that enforces SSL trust. We will make the Dradis developers aware of this report.

The underlying Java trust store includes a number of root CA certificates, but not all the ones that are included in modern browsers. You might be able to add a root CA certificate to the Java trust store to make Java trust it. This might resolve the issues you are seeing.


Daniel Nov 29, 2016 01:29PM UTC
Hi there,

Dradis extender author here. We're using Ruby for the extension, and relying on the JRuby interpreter for managing the SSL connection.

What version of the extension are you using? In the latest there is a check box that allows you to bypass the default SSL validation:

https://github.com/dradis/burp-dradis/blob/master/burp-dradis.rb#L469

Hope this helps,
Daniel

Nell Nov 29, 2016 03:45PM UTC
Hi Dainel,

Thanks for your answer. I believe I am running the latest version, as I have just installed the plugin today for the first time. Version information according to Burp is v0.0.2, which seems to be the same as the version you pointed to on git.

There's not too much additional information except for the note in Alerts tab, which is as follows: "Dradis Framework: There was an error connecting to Dradis: certificate verify failed."

Daniel Nov 29, 2016 04:51PM UTC
Hi Nell,

And do you have the "Ignore SSL certificate errors" checkbox ticked in the config tab?

http://discuss.dradisframework.org/t/burp-extension-released-send-to-dradis/383/3

HTH,
Daniel

Post Your public answer

Your name
Your email address
Answer