java - 带有 java 应用程序的 Burp Suite 代理
问题描述
我有接收代理设置的 java 应用程序。
我从 Burp Suite 导出了 der 证书
使用 keytool 将此证书导入 java 密钥库:
keytool -import -trustcacerts -file ~/cacert_7.der -alias BURPSUITE -keystore /home/dmitriy/Test/java/lib/security/cacerts -storepass
然后检查添加:
keytool -keystore /home/dmitriy/Test/java/lib/security/cacerts -list -storepass burp, 03.05.2018, trustedCertEntry, Certificate fingerprint (SHA1): 0A:3E:E0:C0:73:E6:0E:D9:5C:8F:0A:CC:31:E1:33:37:55:2A:85:BF
运行我的应用程序
java -jar Chameleon.jar -Djavax.net.ssl.trustStore=/home/dmitriy/Test/java/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=***
但我仍然收到一个错误:
sun.security.validator.ValidatorException: No trusted certificate found
我将此证书导入浏览器,它工作正常,但 java 文件有问题。
java -version java version "1.8.0_131" Java(TM) SE Runtime Environment (build 1.8.0_131-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)
尝试使用 Fiddler 并收到下一个错误:
由于 RemoteCertificateChainErrors,服务器 (host.com) 提供了未验证的证书。
0 - 部分链
发行人:CN=RapidSSL SHA256 CA,O=GeoTrust Inc.,C=US
更新:
使用参数运行时:-Djavax.net.debug=all
adding as trusted cert:
Subject: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Algorithm: RSA; Serial number: 0x1be715
Valid from Wed Jan 01 09:00:00 EET 2014 until Fri May 30 10:00:00 EEST 2031
adding as trusted cert:
Subject: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x236d1
Valid from Sat Feb 20 00:45:05 EET 2010 until Wed Feb 19 00:45:05 EET 2020
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
尝试使用“使用自定义协议和密码”选项重新生成证书,但证书仍然不受信任:
Owner: CN=PortSwigger CA, OU=PortSwigger CA, O=PortSwigger, L=PortSwigger, ST=PortSwigger, C=PortSwigger
Issuer: CN=PortSwigger CA, OU=PortSwigger CA, O=PortSwigger, L=PortSwigger, ST=PortSwigger, C=PortSwigger
Serial number: 536e02a9
Valid from: Sat May 10 13:42:49 EEST 2014 until: Mon May 10 13:42:49 EEST 2038
Certificate fingerprints:
MD5: FC:8B:C8:A1:9E:92:08:33:F2:0B:34:F1:48:85:D0:BB
SHA1: 21:C3:01:1C:9E:7C:06:92:2E:A9:B7:38:12:3B:3D:8E:FA:39:72:17
SHA256: 36:EE:79:A9:7A:5E:4E:E5:4C:8B:5E:AD:6B:9C:2F:A8:EA:63:A6:65:44:9E:4B:20:5E:DE:EA:37:32:FB:C5:96
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D1 92 05 BB 78 6B 76 71 64 92 E2 F9 9A C8 81 CA ....xkvqd.......
0010: E1 71 BF 81 .q..
]
]
更新 2:
问题出在 trustcacerts 上,这个文件在 jar 存档中。因此,我从 jar 导入我的证书中获取此文件,然后将其移回并启动应用程序。
解决方案
看起来您已遵循正确的程序,如本文所述:
但是,您的 java 参数顺序错误。您运行应用程序的命令应类似于:
java -Djavax.net.ssl.trustStore=/home/dmitriy/Test/java/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=* -jar Chameleon.jar
推荐阅读
- linux - 带有 gnome 网络管理器的 wlan 热点在 auth 中循环
- optaplanner - OptaPlanner 解决方案的分数与 `ScoreManager::explainScore` 给出的分数不匹配
- python - 如何恢复图表的纹理偏移(格式绘图区域>图片或纹理填充>偏移)?
- postman - Postman 参数化测试,具有相同请求的实际值和预期错误
- azure-functions - Azure Functions .NET 5.0 触发器问题
- ios - 在安全区域内的屏幕顶部放置横幅?(而不是底部)
- r - R将一列分成两个单独的列
- node.js - 需要 Node js bycrypt 数据和 salt 参数
- java - 我无法让 Spring Boot 和 Hazelcast 集群工作
- amazon-cloudformation - 定义 IAM 策略以引用另一个文件中的参数