Fiddler's HTTPS Decryption feature is enabled, but this specific tunnel was configured not to

[Yuriy Galanter]

This probably has been asked before, but I couldn't find relevant information and this is the first time it happens to me. Trying to capture/decrypt traffic from ASP.NET web application (web.config modifying accordingly to point to Fiddler as a proxy). Getting this:

HTTP/1.1 200 Connection Established
FiddlerGateway: Direct
StartTime: 08:10:40.453
Connection: close
EndTime: 08:10:40.547
ClientToServerBytes: 432
ServerToClientBytes: 3286
 
This is a CONNECT tunnel, through which encrypted HTTPS traffic flows.
Fiddler's HTTPS Decryption feature is enabled, but this specific tunnel was configured not to be decrypted. Settings can be found inside Tools > Fiddler Options > HTTPS.
 
A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.
 
Version: 3.1 (TLS/1.0)
SessionID:      54 87 1E 5C 03 C7 16 81 E6 25 E8 8F 48 C0 42 52 23 B6 5B 04 4F 4D 69 67 11 F2 9E 09 D0 27 77 2D
Random:         54 87 1F 00 0D 37 FF 22 3E 6A 10 BF 4D 4F 67 ED C2 D2 97 A9 66 B2 CF 56 0D 8C 7C E5 6B 2E 2E A1
Cipher:         TLS_RSA_AES_128_SHA [0x002F]
CompressionSuite:       NO_COMPRESSION [0x00]
Extensions:
renegotiation_info      00

Web server has running antivirus, but I don't think it intercepts the traffic ("w3p" is displayed in Process column for the session). Any idea what's going on and how to make it decrypt the traffic? 

[EricLaw]

"Settings can be found inside Tools > Fiddler Options > HTTPS"

Inside that dialog, is the dropdown set to "... from all processes."?

If so, right-click the session. Choose Properties. What's the value of the X-No-Decrypt flag?

[Yuriy Galanter]

Yup it is set to "all processes". Here's session property, but I don't see "X-No-Decrypt" there

SESSION STATE: Done.

Request Entity Size: 934 bytes.

Response Entity Size: 685 bytes.

== FLAGS ==================

BitFlags: [ResponseGeneratedByFiddler, IsBlindTunnel] 0x1100

HTTPS-CLIENT-SESSIONID: 54 87 A2 6C 23 5B 68 2C EF 5E F2 BB 7D B7 C7 3E AD F4 BC EF E5 6C FB 2D E7 93 21 09 60 0E 8D 9E

HTTPS-SERVER-CIPHER: TLS_RSA_AES_128_SHA

HTTPS-SERVER-SESSIONID: 54 87 A2 6C 23 5B 68 2C EF 5E F2 BB 7D B7 C7 3E AD F4 BC EF E5 6C FB 2D E7 93 21 09 60 0E 8D 9E

X-CLIENTIP: 127.0.0.1

X-CLIENTPORT: 49865

X-EGRESSPORT: 49866

X-HOSTIP: 10.70.152.174

X-HTTPS-DECRYPTION-ERROR: Could not find or generate interception certificate.

X-PROCESSINFO: w3wp:3128

X-RESPONSEBODYTRANSFERLENGTH: 0

== TIMING INFO ============

ClientConnected:     17:31:25.207

ClientBeginRequest:  17:31:25.207

GotRequestHeaders:   17:31:25.207

ClientDoneRequest:   17:31:25.207

Determine Gateway:   0ms

DNS Lookup:          0ms

TCP/IP Connect:      0ms

HTTPS Handshake:     0ms

ServerConnected:     17:31:25.207

FiddlerBeginRequest: 17:31:25.207

ServerGotRequest:    17:31:25.207

ServerBeginResponse: 00:00:00.000

GotResponseHeaders:  00:00:00.000

ServerDoneResponse:  17:31:25.332

ClientBeginResponse: 17:31:25.332

ClientDoneResponse:  17:31:25.332

       Overall Elapsed:     00:00:00.1250016

The response was buffered before delivery to the client.

== WININET CACHE INFO ============

This URL is not present in the WinINET cache. [Code: 2]

* Note: Data above shows WinINET's current cache state, not the state at the time of the request.

* Note: Data above shows WinINET's Medium Integrity (non-Protected Mode) cache only

[EricLaw]

The problem is here:

X-HTTPS-DECRYPTION-ERROR: Could not find or generate interception certificate.

Click Tools > Fiddler Options > HTTPS. Untick "Decrypt HTTPS traffic." Push the "Remove Interception Certificates" button. Accept all prompts. Retick "Decrypt HTTPS traffic." Accept all prompts.

[Yuriy Galanter]

Redid all that - still same decrypt error message. Any idea what else could be going on? 

[EricLaw]

Go to Fiddler's LOG tab in the failing scenario. Copy the text and paste it here.

[Paul Shirley]

I'm getting a similar error message.

I am running windows 8.1 and just had a clean install last week. I installed the cert maker plugin but was getting the message "Fiddler's HTTPS Decryption feature is enabled, but this specific tunnel was configured not to be decrypted. Settings can be found inside Tools > Fiddler Options > HTTPS". Because of this I uninstalled the cert maker plugin and HTTPS decryption was working fine. I then started to get the same error message as (https://groups.google.com/forum/#!searchin/httpfiddler/joesoft/httpfiddler/nsNNczdG2y4/MJ9s1sbyPc0J) so I reinstalled the Cert Maker.

Tools -> Fiddler Options -> HTTPS is set to ... from all processes

The following is data going to https://microsoft.com

______________________________________________________________________________________________________________________________

This is a CONNECT tunnel, through which encrypted HTTPS traffic flows.

Fiddler's HTTPS Decryption feature is enabled, but this specific tunnel was configured not to be decrypted. Settings can be found inside Tools > Fiddler Options > HTTPS.

A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.

Version: 3.3 (TLS/1.2)

SessionID: empty

Random: 54 97 FC F2 9E B0 06 8E 35 A4 17 89 02 1D E3 B4 AE 66 26 F0 AA A7 F9 B6 B6 9F 05 0C A8 16 25 84

Cipher: SSL_RSA_WITH_RC4_128_SHA [0x0005]

CompressionSuite: NO_COMPRESSION [0x00]

Extensions:

server_name empty

SessionTicket empty

___________________________________________________________________________________

This is a Tunnel. Status: CLOSED, Raw Bytes Out: 527; In: 3,585

The selected session is a HTTP CONNECT Tunnel. This tunnel enables a client to send raw traffic (e.g. HTTPS-encrypted streams or WebSocket messages) through a HTTP Proxy Server (like Fiddler).

This tunnel was exempt from HTTPS-decryption.

Request Count:   1

Bytes Sent:      213 (headers:213; body:0)

Bytes Received:  183 (headers:183; body:0)

Tunnel Sent:     527

Tunnel Received: 3,585

ACTUAL PERFORMANCE

--------------

ClientConnected: 11:13:53.770

ClientBeginRequest: 11:13:53.770

GotRequestHeaders: 11:13:53.770

ClientDoneRequest: 11:13:53.770

Determine Gateway: 0ms

DNS Lookup: 0ms

TCP/IP Connect: 4ms

HTTPS Handshake: 0ms

ServerConnected: 11:13:53.775

FiddlerBeginRequest: 11:13:53.775

ServerGotRequest: 11:13:53.775

ServerBeginResponse: 00:00:00.000

GotResponseHeaders: 00:00:00.000

ServerDoneResponse: 11:13:53.838

ClientBeginResponse: 11:13:53.838

ClientDoneResponse: 11:13:53.838

Overall Elapsed: 0:00:00.068

RESPONSE BYTES (by Content-Type)

--------------

~headers~: 183

___________________________________________________________________________________

The log is full of the following error message.

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)

   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)

   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

   at BCCertMaker.BCCertMaker.ConvertBCPrivateKeyToDotNet(RsaPrivateCrtKeyParameters bcPVK, String sKeyName)

   at BCCertMaker.BCCertMaker.CreateCertificateFromCA(String sCN, X509Certificate caCert, AsymmetricKeyParameter caKey)

   at BCCertMaker.BCCertMaker.MakeNewCert(String sHostname)

11:13:53:8243 fiddler.https> Failed to obtain certificate for i.microsoft.com due to Certificate Maker returned null when asked for a certificate for i.microsoft.com

11:15:08:9293 Fiddler.BCCertMaker> Failed to create certificate for roaming.officeapps.live.com: Key not valid for use in specified state.

[Yuriy Galanter]

@EricLaw - this is what I am gettting:

11:11:48:0811 Fiddler Running...
11:11:50:5030 Fiddler.Network.AutoProxy> AutoProxy Detection failed.
11:11:50:5030 AutoProxy failed. Disabling for this network.
11:11:50:5186 Fiddler ICertificateProvider v1.4.9.4 loaded.
            fiddler.certmaker.bc.Debug:        False
            ObjectID:                                  0x3296db7
11:12:39:3317 Fiddler.BCCertMaker> Failed to create certificate for 10.70.152.174: The profile for the user is a temporary profile.

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)

   at BCCertMaker.BCCertMaker.ConvertBCPrivateKeyToDotNet(RsaPrivateCrtKeyParameters bcPVK, String sKeyName)
   at BCCertMaker.BCCertMaker.CreateCertificateFromCA(String sCN, X509Certificate caCert, AsymmetricKeyParameter caKey)
   at BCCertMaker.BCCertMaker.MakeNewCert(String sHostname)

11:12:39:3317 fiddler.https> Failed to obtain certificate for 10.70.152.174 due to Certificate Maker returned null when asked for a certificate for 10.70.152.174
11:12:40:0661 Fiddler.BCCertMaker> Failed to create certificate for 10.70.152.174: The profile for the user is a temporary profile.

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)

   at BCCertMaker.BCCertMaker.ConvertBCPrivateKeyToDotNet(RsaPrivateCrtKeyParameters bcPVK, String sKeyName)
   at BCCertMaker.BCCertMaker.CreateCertificateFromCA(String sCN, X509Certificate caCert, AsymmetricKeyParameter caKey)
   at BCCertMaker.BCCertMaker.MakeNewCert(String sHostname)

11:12:40:0661 fiddler.https> Failed to obtain certificate for 10.70.152.174 due to Certificate Maker returned null when asked for a certificate for 10.70.152.174

[Andrey Makhnutin]

Hello!

I just had a similar problem with same symptoms. I see same error in Sesson Properties

X-HTTPS-DECRYPTION-ERROR: Could not find or generate interception certificate.

And it happened the day after I've change the password. In our organization, we use some centralized tool to change the global password to all things: AD, Google Apps, Box, etc. So we don't use Ctrl+Alt+Delete to change our passwords.

I remember once I lost an encrypted file because of this - after changing the password with the tool, I just couldn't access them. Probably it is because of some problems with User's keys vault somewhere deep inside Operating System..

Anyway, I went and changed the password back to the previous one using Ctrl+Alt+Delete and HTTPS decryption started working again!

I'm not sure this is a solution for everyone, but hopefully this information will help Eric identify the cause.

[EricLaw]

@Andrey-- Yes, this suggests that whatever code your organization uses doesn't properly work with Windows' encryption features, which are used for local data that is encrypted to the user (e.g. EFS, and more specifically, in this case, for the Private Key that corresponds to Fiddler's Root certificate).

The workaround (other than fixing the password tool to migrate data as needed) within Fiddler would be to:

1. Untick "Decrypt HTTPS traffic"

2. Click "Remove Interception certificates"

3. Accept all prompts.

4. Retick "Decrypt HTTPS traffic

5. Accept all prompts.

[Andrey Makhnutin]

@EricLaw Thanks! But it didn't work for some reason. I think I tried doing this both with an old password (when decryption works) and with new several times, but with zero luck.

I checked the Log window and saw an error code there. It was different from Topic Starter's though. It said something lalala "key not valid for use in specified state". I googled the error and found this solution http://answers.microsoft.com/en-us/windows/forum/windows8_1-winapps/key-not-valid-for-use-in-specified-state/b7edbb7d-0d8c-4ac7-bfb8-93805caed4ef?auth=1

Deleting Fiddler's key from C:\Users\<User>\AppData\Roaming\Microsoft\Crypto\RSA did work! And I'm super happy, because I found this a few hours ago and it fixed all things.

Hope this info will help other googlers.

[EricLaw]

Hmm.... As far as I know, moving the RSA folder like that has the effect of "losing" all of your private keys, which definitely would resolve the problem, but would have other side effects as well. Of course, if your password change really rendered all of the keys unusable, the point is moot anyway.

[Tore Nestenius]

This helped me as well when I had the same problem. I just deleted the latest key or two in the C:\Users\<User>\AppData\Roaming\Microsoft\Crypto\RSA\... folder.. I had some AD/user issues for a week ago or so (Windows 10)