When Burp suite accesses a server with an encrypted channel it depends in some way on the underlying Java Security layer when using java.security classes. It happens that Java 7 disables the old MD2 algorithm by default in its policy file:
File (windows): Programs Files\Java\jre7\lib\security\java.security
(excerpt)
…
jdk.certpath.disabledAlgorithms=MD2
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
# In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS. This section describes the mechanism for disabling
# algorithms during SSL/TLS security parameters negotiation, including cipher
# suites selection, peer authentication and key exchange mechanisms.
…
So, if we visit any site that supports MD2 Java will raise an exception prenventing Burp from continuing its work. The infamous:
Burp proxy error: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
Just remove the ‘MD2′ from the directive and save the file. Your problem is gone but the whole Java ecosystem is now exposed and you have to remember to add the constraint again when finishing with Burp.
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
