TLC Certificate Issue

Hi, I have updated the domain nameservers with Cloudflare and I have created an e-commerce website. On Cloudflare, I have enabled to serve the website using HTTPS. We want to integrate a payment method using a local bank and we have needed to send the website to be tested from the bank security team. Today I have received documentation to fix some critical errors from the bank which they have tested using the Burpsuite Professional and one was related to the Cloudflare Certificate. Below is the description of the error:

Issue detail

The following problem was identified with the server’s TLS certificate:

  • The server’s certificate is not trusted.

Note: Burp relies on the Java trust store to determine whether certificates are trusted. The Java trust store does not include every root CA certificate that is included within browser trust stores. Burp might incorrectly report that a certificate is not trusted, if a valid root CA certificate is being used that is not included in the Java trust store.

The server presented the following certificates:

Server certificate

Issued to: sni.cloudflaressl.com, *.website-name.com, website-name.com
Issued by: Cloudflare Inc ECC CA-3
Valid from: Sun Mar 14 01:00:00 CET 2021
Valid to: Mon Mar 14 00:59:59 CET 2022

Certificate chain #1

Issued to: Cloudflare Inc ECC CA-3
Issued by: Baltimore CyberTrust Root
Valid from: Mon Jan 27 13:48:08 CET 2020
Valid to: Wed Jan 01 00:59:59 CET 2025

Certificate chain #2

Issued to: Baltimore CyberTrust Root
Issued by: Baltimore CyberTrust Root
Valid from: Fri May 12 20:46:00 CEST 2000
Valid to: Tue May 13 01:59:00 CEST 2025

Issue background

TLS (or SSL) helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server’s identity. To serve this purpose, the server must present an TLS certificate that is valid for the server’s hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, TLS connections to the server will not provide the full protection for which TLS is designed.

It should be noted that various attacks exist against TLS in general, and in the context of HTTPS web connections in particular. It may be possible for a determined and suitably-positioned attacker to compromise TLS connections without user detection even when a valid TLS certificate is used

How to resolve this critical error, which has been reported from the bank security team using Burpsuit professional ?

It looks like Burp knows they may return False Positives. It would seem to me that any audit would take a closer look at their findings, rather than kick it down to the customer to resolve.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.