Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

SHA1 certificate signatures

Greg | Last updated: Dec 06, 2018 11:01AM UTC

It looks like up to about v1.6 SHA1 was used exclusively for certificates, then the switch to SHA256 happened. Is there a way to restore the old SHA1 behavior? This would be quite helpful for a current project. I looked around and don't see an option for it. Disabling SHA256 in java.security doesn't have an effect on generated certificate signatures (regardless of the Enable algorithms blocked by Java security policy option). This only has the effect of breaking access to sites using SHA256. I tried using v1.6. It does use SHA1 for certificates, but I also need to be able to replace Burp's CA cert and that doesn't work (NullPointerException on import attempts, and no luck with a registry import of JavaSoft > Prefs > burp > ca/Cert from a newer version that imports replacement CA certs correctly). Any help would be appreciated. Thank you.

PortSwigger Agent | Last updated: Dec 06, 2018 11:10AM UTC

There isn't an option to automatically generate SHA1 certificates. However, you can generate a suitable certificate using the openssl command line, and configure Burp to use that. In Proxy > Options > Proxy Listeners > Edit > Certificate select "Use a custom certificate".

Burp User | Last updated: Dec 06, 2018 04:10PM UTC

Thank you very much. I already had a suitable certificate from openssl, so when I have time to work on this again the testing should go more quickly. For reference, I learned in an old support post that the NullPointerException problem in v1.6 was because imported CA certificates had to have a "caCert" alias at that time. Adding a "caCert" alias did indeed allow the CA certificate to be imported, but v1.6 was still unable to function properly after that (cipher errors in the Alerts tab and all connections failing). So, that leaves auto-generation of SHA1 certs off the table for now apparently. Thanks again for your help.

PortSwigger Agent | Last updated: Dec 06, 2018 04:14PM UTC

Pleased to hear you got it working. I'm not sure if we'll implement multiple custom certificates, it's a rare requirement and would need a non-trivial UI. As a workaround you can run multiple proxy listeners, each with different certificates, and use a proxy switcher to direct requests to the right one. What we may do is make the certificate generation be customizable by an extension.

Burp User | Last updated: Jan 07, 2019 09:51AM UTC

I had time to revisit this and am pleased to say that using a custom certificate worked perfectly. Thank you very much. Of course, it didn't take long for challenges to crop up with the limits of only having one certificate to send to clients. If you can consider allowing multiple custom certificates depending on the host in the future (much like how different client certificates are already allowed for different hosts) and default to auto-gen for other hosts that would be very helpful. I fully understand that if this were added it wouldn't be soon what with v2.0 and everything, so until then I can get by with chaining Burp instances. Thanks once again.

Burp User | Last updated: Jan 07, 2019 01:02PM UTC

Thanks for the response Paul. Allowing certificates to be defined by an extension sounds very promising. Thanks to you and the team for all that you do.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.