Re: [Burp-users] SSL accept error
Brought to you by:
grke
Menu
▾
▴
Re: [Burp-users] SSL accept error
|
From: Graham K. <gr...@gr...> - 2021-05-30 11:03:20
|
On Thu, May 27, 2021 at 08:30:42PM +0200, Hans Vh wrote:
> Hi all,
>
> After the upgrade to 2.4 I am having problems with one server (windows
> server 2016).
> I already removed on the server the burp dir and uninstalled on the windows
> server and removed burp directory.
>
> I reinstalled everything.
>
> On my other clients everything works fine.
>
> On that windows server client, I keep getting:
>
> 2021-05-27 20:18:15: burp[35624] windows drives detected: CDEF
> 2021-05-27 20:18:15: burp[35624] Could not find ssl_cert C:/Program
> Files/Burp/ssl_cert-client.pem: Unknown error
> 2021-05-27 20:18:15: burp[35624] Could not find ssl_key C:/Program
> Files/Burp/ssl_cert-client.key: Unknown error
> 2021-05-27 20:18:15: burp[35624] Could not find ssl_cert_ca C:/Program
> Files/Burp/ssl_cert_ca.pem: Unknown error
> 2021-05-27 20:18:15: burp[35624] Connecting to xxxxx:4971
> 2021-05-27 20:18:16: burp[35624] SSL connect error
>
> On the server I am getting the following message:
>
> 2021-05-27 20:22:01 +0200: burp[27830] Connect from peer:XXXXXX:41624
> 2021-05-27 20:22:01 +0200: burp[27830] 0/15 child processes running on
> listen 0.0.0.0:4971
> 2021-05-27 20:22:01 +0200: burp[27830] Child 1 available
> 2021-05-27 20:22:01 +0200: burp[27830] forked child on 0.0.0.0:4971: 27833
> 2021-05-27 20:22:01 +0200: burp[27833] SSL_accept error
> 2021-05-27 20:22:01 +0200: burp[27833] exit child
> 2021-05-27 20:22:01 +0200: burp[27830] pipe from child 9: end of data
> 2021-05-27 20:22:01 +0200: burp[27830] pipe from child 9: disconnected fd 9
>
> I really have no idea how to solve this.
>
> The server's firewall is blocking most of the outbound and inbound traffic
> but port 4971 is open. I tested it with the Test-Netconnection tool and
> port 4971 is open.
> So that's not the problem.
>
> What else can I try or do?
Hello,
I also don't know why this is happening for you.
But maybe you can get more information on both the server side and client
side by making something like the following changes.
- src/client/main.c for the client (tricky because you need to recompile
for windows
- src/ssl.c for the server
I will test and add these changes for the next release.
diff --git a/src/client/main.c b/src/client/main.c
index 0c45761c..d80c1567 100644
--- a/src/client/main.c
+++ b/src/client/main.c
@@ -228,6 +228,7 @@ static int ssl_setup(int *rfd, SSL **ssl, SSL_CTX **ctx,
ssl_load_globals();
char *cp=NULL;
char *server_copy=NULL;
+ int ssl_ret;
if(!(server_copy=strdup_w(server, __func__)))
goto end;
@@ -309,9 +310,10 @@ static int ssl_setup(int *rfd, SSL **ssl, SSL_CTX **ctx,
goto end;
}
SSL_set_bio(*ssl, sbio, sbio);
- if(SSL_connect(*ssl)<=0)
+ if((ssl_ret=SSL_connect(*ssl))<=0)
{
- logp_ssl_err("SSL connect error\n");
+ logp_ssl_err("SSL connect error: %d\n",
+ SSL_get_error(*ssl, ssl_ret));
goto end;
}
diff --git a/src/ssl.c b/src/ssl.c
index 45a70e33..9b8d1f52 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -11,28 +11,27 @@ int ssl_do_accept(SSL *ssl)
{
while(1)
{
- int r;
+ int r=0;
+ int ssl_err;
ERR_clear_error();
switch((r=SSL_accept(ssl)))
{
case 1:
return 0;
case 0:
- goto error;
default:
- switch(SSL_get_error(ssl, r))
+ ssl_err=SSL_get_error(ssl, r);
+ switch(ssl_err)
{
case SSL_ERROR_WANT_READ:
continue;
default:
- goto error;
+ logp_ssl_err("SSL_accept error: %d\n", ssl_err);
+ return -1;
}
break;
}
}
-error:
- logp_ssl_err("SSL_accept error\n");
- return -1;
}
int ssl_load_dh_params(SSL_CTX *ctx, struct conf **confs)
|
