Options: SSL

This tab contains settings for SSL negotiation, Java SSL options, and client and server SSL certificates.

Note: Some of these options can be defined at both the user and project level. For these options, you can configure your normal options at the user level, and then override these if required on a per-project basis.

SSL Negotiation

These settings control the SSL protocols and ciphers that Burp will use when performing SSL negotiation with upstream servers. You can configure Burp to use the default protocols and ciphers of your Java installation, or override these defaults and enable specific protocols and ciphers as required.

Sometimes, you may have difficulty negotiating SSL connections with certain web servers. The Java SSL stack contains a few gremlins, and fails to work with certain unusual server configurations. To help you troubleshoot this problem, Burp lets you specify which protocols and ciphers should be offered to servers during SSL negotiations.

The following other options are available:

  • Automatically select compatible SSL parameters on negotiation failure - If this option is enabled, then when Burp fails to negotiate SSL using the configured protocols and ciphers, it will probe the server to try and establish a set of compatible SSL parameters that are supported by both the server and Java. If compatible parameters are found, Burp caches this information and uses the parameters in the first instance for future negotiations with the same server. This option is generally desirable and can avoid the need to troubleshoot SSL issues and experiment with protocols and ciphers.
  • Allow unsafe SSL renegotiation - This option may be necessary when using some client SSL certificates, or attempting work around other SSL problems.

Java SSL Options

These settings can be used to enable certain SSL features that might be needed to successfully connect to some servers.

The following options are available:

  • Enable algorithms blocked by Java security policy - As of Java 7, the Java security policy can be used to block certain obsolete algorithms from being used in SSL negotiation, and some of these are blocked by default (such as MD2). Many live web servers have SSL certificates that use these obsolete algorithms, and it is not possible to connect to these servers using the default Java security policy. Enabling this option allows Burp to use the obsolete algorithms when connecting to the affected servers. Changes to this option take effect when you restart Burp.
  • Disable Java SNI extension - As of Java 7, the SSL Server Name Indication (SNI) extension is implemented and enabled by default. Some misconfigured web servers with SNI enabled send an "Unrecognized name" warning in the SSL handshake. Whilst browsers ignore this warning, the Java implementation does not, and fails to connect. You can use this option to disable the Java SNI extension, and so connect to the affected servers. Changes to this option take effect when you restart Burp.

Client SSL Certificates

These settings let you configure the client SSL certificates that Burp will use when a destination host requests one. You can configure multiple certificates, and specify the hosts for which each certificate should be used. When a host requests a client SSL certificate, Burp will use the first certificate in the list whose host configuration matches the name of the host being contacted.

You can use wildcards in the destination host specification (* matches zero or more characters, and ? matches any character except a dot). To use a single certificate whenever any host requests one, use * as the destination host.

The following types of client certificates are supported:

  • File (PKCS#12) - You will need to configure the location of the certificate file and the password for the certificate.
  • Hardware token or smartcard (PKCS#11) - You will need to configure the location of the PKCS#11 library file for your device, your PIN code, and select the certificate from those that are available. The PKCS#11 library file is a native code file that is installed with the software for your device. On Windows, Burp can automatically search common locations to find the library files that you have installed.

Note: Java does not currently support PKCS#11 on 64-bit versions of Windows.

Server SSL Certificates

This information-only panel contains details of all X509 certificates received from web servers. Double-click an item in the table to display the full details of the certificate.