SHA1 certificate signatures
It looks like up to about v1.6 SHA1 was used exclusively for certificates, then the switch to SHA256 happened. Is there a way to restore the old SHA1 behavior? This would be quite helpful for a current project.
I looked around and don't see an option for it.
Disabling SHA256 in java.security doesn't have an effect on generated certificate signatures (regardless of the Enable algorithms blocked by Java security policy option). This only has the effect of breaking access to sites using SHA256.
I tried using v1.6. It does use SHA1 for certificates, but I also need to be able to replace Burp's CA cert and that doesn't work (NullPointerException on import attempts, and no luck with a registry import of JavaSoft > Prefs > burp > ca/Cert from a newer version that imports replacement CA certs correctly).
Any help would be appreciated.
There isn’t an option to automatically generate SHA1 certificates. However, you can generate a suitable certificate using the openssl command line, and configure Burp to use that. In Proxy > Options > Proxy Listeners > Edit > Certificate select “Use a custom certificate”.
For reference, I learned in an old support post that the NullPointerException problem in v1.6 was because imported CA certificates had to have a "caCert" alias at that time. Adding a "caCert" alias did indeed allow the CA certificate to be imported, but v1.6 was still unable to function properly after that (cipher errors in the Alerts tab and all connections failing). So, that leaves auto-generation of SHA1 certs off the table for now apparently.
Thanks again for your help.
Of course, it didn't take long for challenges to crop up with the limits of only having one certificate to send to clients. If you can consider allowing multiple custom certificates depending on the host in the future (much like how different client certificates are already allowed for different hosts) and default to auto-gen for other hosts that would be very helpful. I fully understand that if this were added it wouldn't be soon what with v2.0 and everything, so until then I can get by with chaining Burp instances.
Thanks once again.
Pleased to hear you got it working. I’m not sure if we’ll implement multiple custom certificates, it’s a rare requirement and would need a non-trivial UI.
As a workaround you can run multiple proxy listeners, each with different certificates, and use a proxy switcher to direct requests to the right one.
What we may do is make the certificate generation be customizable by an extension.