Burp-isms: “Received Fatal Alert”


So you received the dreaded Portswigger Burp “Fatal Alert”?? Mooo hah hah ha…

Yes I have too. In fact with more recent versions of Burp “.25” on, I have found many annoying SSL failures that have lost a lot of time on projects.

NOTE TO Portswigger: Stop with the SSL games. Fix your product so it works with SSL easily, and more so fix your support mechanisms as well.

Back to the issue…

There are two parts to fixing this error.

1. Fix the JCE of your Java install – first and foremost you must have the java cryptography extensions that support the level of encryption the site you are connecting to, requires. To do this you will need to download the Unlimited Strength JCE for your version and put the “.jar” files contained in it, in the appropriate security path.

To find the right JCE, type the following at the command line:

java -version

In my case, I am running JDK 1.8, so I googled “Unlimited Java Cryptography Extensions version 8” (note if your on version 7, change the 8 to a 7). The first entry in Google results was the download.

What you get is a zip file that looks like jce-policy-<version>.zip. Unzip this file. You should have two jar files: “US_export_policy.jar” and “local_policy.jar”.

Now you will need to find the installation directory of your java. Most unix and windows system you can pull the path entry for “JAVA_HOME”. You will want to find the “security” subdirectory. An alternative is to just use the Unix/Mac OSX “find” or on Windows do an Explorer search such as:

find / - name "local_policy.jar"

On windows you can just enter the “local_policy.jar” into the explorer “Search” box. Make sure you are searching the whole C or D drives.

This should give you all the locations of where the security policy exists. In some OS’s there may be separate places for the core java and other aspects of Java. For instance on my Mac OSX system I have:

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security

/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/jre/lib/security

It is best to change the JCE in all locations. Some guides only suggested the JavaAppletPlugin path, but that didn’t fully work. Remember the Burp instance should be running in the core java vm (versus the applet).

Copy the files from the zip you downloaded to these locations (if you do all). You may want to backup the original ones first, but that is optional.

2. Change the SSL Negotiation Options – This step is the somewhat more frustrating of all. There are no clear guidances from Portswigger other than “try all combinations” on what works.

Burp_SSL_Options

This is what my current Burp/Options/SSL looks like. I found the settings you see here, appear to resolve a lot of the “Fatal Alert” errors. As the wonderful support at Burp advises, toggle them on/off individually until you discover the resolution (GEE!).

This should fix this issue. I hope this helps.

Leave a comment

Your email address will not be published. Required fields are marked *