0

I am using Chrome 61.0.3163.100 and Firefox 39 on Windows 7 32-bit with Burp Suite v1.7.

I have imported latest CA certificate for Burp Suite. In spite of which it's not working for sites with HSTS and throwing following error in Chrome.

NET::ERR_CERT_AUTHORITY_INVALID

CA certificate

In Firefox its showing following error:

An error occurred during a connection to www.google.co.in. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

I have checked following sources:

Make SSL work with Chrome (yes, I read the installation procs)

Securing a Web application using HSTS

Burp Suite - Although my configurations are correct, still Chrome doens't allows me to access HTTPS sites and throws an error!

What am I missing ?

Rahul
  • 373
  • 4
  • 13
  • *"I have checked multiple sources but I didn't found a clear solution to this."* - or in other words: "I've looked around but will not tell you what I saw and tried and how I failed. Figure out yourself what my problem is.". – Steffen Ullrich Oct 25 '17 at 18:27
  • @SteffenUllrich: Thanks for the downvote. I have updated my answer. – Rahul Oct 25 '17 at 18:50
  • much better now. – Steffen Ullrich Oct 25 '17 at 19:04
  • I see you've upgraded Burp. Did you already install the Burp CA in your browser? If you did, you may need to remove it and try again. Please following the certificate installation instructions precisely. Also, I think your question is not a good fit for Stack Exchange, but we're happy to help if you email support@portswigger.net – PortSwigger Oct 26 '17 at 08:10
  • @PortSwigger: I have installed CA after upgrading Burp. I have followed all instructions carefully. Like I mentioned there is thread with same issue but it ain't solved yet. – Rahul Oct 26 '17 at 08:59
  • Ok, if you've installed the cert but are still getting NET::ERR_CERT_AUTHORITY_INVALID then something went wrong with the cert install. You need to remove the certificate and try again. Most common error is installing into the wrong store - it must be Trusted Root Certification Authorities. More info [here](https://support.portswigger.net/customer/portal/articles/1783075-installing-burp-s-ca-certificate-in-your-browser) – PortSwigger Oct 26 '17 at 09:57

2 Answers2

1

You get this error because Chrome expects a subject alternative name, as correctly stated in of the sources you've checked. This problem was fixed in Burp already. From the release notes for Burp version 1.7.20.

Burp Proxy's generated per-host SSL certificates now include the site's commonName in the subjectAlternativeName extension. Apparently fallback to the commonName was deprecated by RFC2818 (in 2000), and browsers have recently decided to implement this.

But, you are using an older version.

I am using Chrome 61.0.3163.100 on Windows 7 32-bit with Burp Suite v1.6.

Thus, you need to use at least version 1.7.20 to have this problem fixed.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I have downloaded version 1.7.27 but still the problem persists. – Rahul Oct 25 '17 at 21:08
  • @Rahul: in this case please provide the certificate you've got in the browser (the part you've whitened out in your post, i.e. from `----- BEGIN CERTIFICATE...` until the `END CERTIFICATE`) so that one can have a closer look of what you actually get. Please check also that the error you've got after the upgrade of Burp is still the same ERR_CERT_COMMON_NAME_INVALID and not some other one (like invalid issuer - in which case the proxy CA from Burp might have changed). – Steffen Ullrich Oct 26 '17 at 01:36
  • Updated my question. – Rahul Oct 26 '17 at 06:18
  • @Rahul: please provide the certificate as text and not as image so that one can feed it into tools for analysis. Also, you can see that the error is now different: it complains that the issuer is now untrusted - probably because you have a new proxy CA in Burp now. You need to add this new CA as trusted into your browser. – Steffen Ullrich Oct 26 '17 at 06:22
  • Updated question with problems in Firefox and pasted certificate on pastebin. Please have a look. – Rahul Oct 26 '17 at 06:56
  • @Rahul: The certificate you show does not look like something generated by a current Burp version. The certificate does neither contain a subject alternative name (fixed in 1.7.20) nor is it signed with SHA-256 but only with SHA-1 (fixed in 1.6.17). I have no idea what you are actually doing. – Steffen Ullrich Oct 26 '17 at 07:20
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/67692/discussion-between-rahul-and-steffen-ullrich). – Rahul Oct 26 '17 at 07:35
  • 1
    Nice to see someone reading the release notes :) – PortSwigger Oct 26 '17 at 08:11
0

It seems that you are using proxy that inspects HTTPS data. Your proxy generates certificates to supply to clients. However, these certificates are not compatible with Google Chrome, because they contain Subject field, but do not contain Subject Alternative Names (SAN) certificate extension. I'm not familiar with this software, so there are available options to you:

  • configure your proxy (if such option ever exist) to generate a SAN extension along with filling Subject field
  • change your web browser
  • contact vendor support (PortSwigger) to resolve the issue
  • change proxy software to compatible with Chrome.
Crypt32
  • 5,750
  • 12
  • 24
  • In my updated question I have mentioned a [source](https://support.portswigger.net/customer/portal/questions/17140958-make-ssl-work-with-chrome-yes-i-read-the-installation-procs-) having discussion about same issue. It's incomplete and problem is still unsolved. – Rahul Oct 25 '17 at 18:56
  • Why not to contact PortSwigger support directly? – Crypt32 Oct 25 '17 at 18:58
  • Like I said there is already a question being asked on same issue but discussion is not complete/problem is not solved. – Rahul Oct 25 '17 at 19:00
  • Ok, can you post certificate you are receiving from Burp? – Crypt32 Oct 25 '17 at 19:02
  • You mean the file ? How is it relevant ? – Rahul Oct 25 '17 at 19:15
  • I mean the public part of the certificate. It may help to reveal some hints for this error. – Crypt32 Oct 25 '17 at 19:18
  • I have updated my question. – Rahul Oct 26 '17 at 06:18
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/67691/discussion-between-rahul-and-crypt32). – Rahul Oct 26 '17 at 07:01