'SSL Pass Through' traffic is incorrectly forwarded through an upstream proxy
When the SSL Pass Through function is used in combination with an upstream proxy server proxy, the proxy is used incorrectly, causing the proxy to deny TLS connections that are passed through.
Expected behaviour would be that Burp performs a CONNECT request to the proxy server, providing it with the target host; after receiving a 200 response, it can proceed forwarding the TLS messages to the proxy.
However, what I see is that the CONNECT phase is skipped entirely for SSL Pass Through connections. Instead, the TLS data is forwarded immediately to the proxy server. When this server receives a TLS ClientHello rather than a CONNECT request, it will abort the connection.
A CONNECT request is performed correctly when intercepted HTTP(S) traffic is forwarded. The problem only occurs for SSL Pass Through connections.
I encountered this problem while configuring the upstream proxy server within the Project options. I confirmed that it occurs regardless of using no or Basic authentication. By the way, there were no problems with the selection of the correct proxy based on the destination host of SSL Pass Through connections.
I use Burp Suite Professional v1.7.16.
Thanks for this report. We’ve created a ticket for this and will update this thread when we have a fix available.
We don’t have any update on this, sorry. The fix depends on some other more involved work that we plan in the coming months, so we’re unlikely to deliver a fix in the near term.
socat tcp-listen:<local-port>,fork proxy:<proxy-host>:<target-host>:<target-port>
Can you tell me, if the bug is also included in the older version 1.6.30?
We have had tested this older versions and everything seems to be fine.
Our customer now uses 1.7.16 and he has the problem.
As far as we’re aware, Burp has always had this bug. We are currently working on a fix and we are aiming to have this ready for the next release.
We are expecting to release an update within the next 1-2 weeks.
But we still get trouble, when using an upstream proxy.
We are sure that Burp is closing the connection with "CLIENT HELLO" in wireshark trace.
Any hints or tipps for trouble shooting?
Do you need any other information for understanding the root-cause? [wireshark traces...]
Unfortunately the fix didn’t make it to the recent release. I will have a word with the development team to see if this can be bumped up the list.
In the interim, your best option is to either run Burp on a network without an upstream proxy, or to use the socat workaround described above.
thanks for your feedback.
We have checked the workaround with socat. We are running Burp on Windows with JRE.
So it's not clear for us to rebuild the socat command on Win.
Can you emphasize this fixing for the next build?
We’ve had a look at this in more detail now, and produced a prototype that works in simple scenarios (specifically, no proxy authentication). However, the changes are more intrusive than we’d hoped; it may be too risky to apply at this stage. We’ll discuss this internally over the coming weeks.
To get you going now, I have compiled socat on Windows for you. I will email you with this shortly.