Pages

Wednesday, December 5, 2012

Burp proxy error: Received fatal alert: unexpected_message

I kept receiving this error in Burp when I was doing an web app pen test: Burp proxy error: Received fatal alert: unexpected_message

This problem isn't a Burp issue, rather a Java issue. It is because of the the Java TLS renegotiation issue documented here: http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html

But who cares, how do you fix it? The link above mentions using -Dsun.security.ssl.allowUnsafeRenegotiation=true but that never worked for me, nor did any of the other blog posts on this issue. I ended up removing my current version of Java and installing an older version which didn't include the fix for the TLS vulnerability I noted above.

JRE 6u35 worked for me: http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html#jre-6u35-oth-JPR

No comments: