SHA1 certificate signatures
It looks like up to about v1.6 SHA1 was used exclusively for certificates, then the switch to SHA256 happened. Is there a way to restore the old SHA1 behavior? This would be quite helpful for a current project.
I looked around and don't see an option for it.
Disabling SHA256 in java.security doesn't have an effect on generated certificate signatures (regardless of the Enable algorithms blocked by Java security policy option). This only has the effect of breaking access to sites using SHA256.
I tried using v1.6. It does use SHA1 for certificates, but I also need to be able to replace Burp's CA cert and that doesn't work (NullPointerException on import attempts, and no luck with a registry import of JavaSoft > Prefs > burp > ca/Cert from a newer version that imports replacement CA certs correctly).
Any help would be appreciated.
There isn’t an option to automatically generate SHA1 certificates. However, you can generate a suitable certificate using the openssl command line, and configure Burp to use that. In Proxy > Options > Proxy Listeners > Edit > Certificate select “Use a custom certificate”.
For reference, I learned in an old support post that the NullPointerException problem in v1.6 was because imported CA certificates had to have a "caCert" alias at that time. Adding a "caCert" alias did indeed allow the CA certificate to be imported, but v1.6 was still unable to function properly after that (cipher errors in the Alerts tab and all connections failing). So, that leaves auto-generation of SHA1 certs off the table for now apparently.
Thanks again for your help.