Contents

Burp Suite 拦截 HTTPS 出现 handshake alert unrecognized_name 问题的处理

javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name

说明

JDK 1.7 的某个更新添加了一个新特性，对 Server Name Indication (SNI) 的支持变成默认启用了。
大概就是在 TLS 握手的时候增加对 hostname 的校验。

以下内容引自 Wikipedia

Server Name Indication (SNI) is an extension to the TLS protocol[1] that indicates what hostname the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS.

解决

通过 Java 的参数

java -Djsse.enableSNIExtension=false -jar burpsuite_pro_v1.7.32.jar

通过 Burp 内置的设置

User Option > SSL > Disable Java SNI extension (requires restart)

其他对解决 SSL 问题可能有启发的操作

修改支持的协议

java -Djdk.tls.client.protocols="TLSv1,TLSv1.1" -jar burpsuite_pro_v1.7.32.jar

修改一些其他 TLS 相关的配置
JAVA_HOME/jre/lib/security/java.security

例如

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

修改为
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

或者直接置空
jdk.certpath.disabledAlgorithms=
jdk.tls.disabledAlgorithms=