Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

SHA1 certificate signatures

Greg Dec 06, 2018 11:01AM UTC

It looks like up to about v1.6 SHA1 was used exclusively for certificates, then the switch to SHA256 happened. Is there a way to restore the old SHA1 behavior? This would be quite helpful for a current project.

I looked around and don't see an option for it.

Disabling SHA256 in java.security doesn't have an effect on generated certificate signatures (regardless of the Enable algorithms blocked by Java security policy option). This only has the effect of breaking access to sites using SHA256.

I tried using v1.6. It does use SHA1 for certificates, but I also need to be able to replace Burp's CA cert and that doesn't work (NullPointerException on import attempts, and no luck with a registry import of JavaSoft > Prefs > burp > ca/Cert from a newer version that imports replacement CA certs correctly).

Any help would be appreciated.

Thank you.


Paul Johnston Dec 06, 2018 11:42AM UTC Support Center agent

There isn’t an option to automatically generate SHA1 certificates. However, you can generate a suitable certificate using the openssl command line, and configure Burp to use that. In Proxy > Options > Proxy Listeners > Edit > Certificate select “Use a custom certificate”.


Greg Dec 06, 2018 04:10PM UTC
Thank you very much. I already had a suitable certificate from openssl, so when I have time to work on this again the testing should go more quickly.

For reference, I learned in an old support post that the NullPointerException problem in v1.6 was because imported CA certificates had to have a "caCert" alias at that time. Adding a "caCert" alias did indeed allow the CA certificate to be imported, but v1.6 was still unable to function properly after that (cipher errors in the Alerts tab and all connections failing). So, that leaves auto-generation of SHA1 certs off the table for now apparently.

Thanks again for your help.

Post Your public answer

Your name
Your email address
Answer