No google with Fiddler

[Marc J. Cawood]

Recently I started having problems accessing google.com when Fiddler is capturing. No traffic appears in Fiddler and google just times out after about 30s with "ERR_CONNECTION_REFUSED.

I don't have this problem with any other HTTPS site, just google.com, google.ch.

Browser is Chrome 58 and we do have a corporate proxy and Sophos Web Intelligence is installed but stopped.....

As I understand it Fiddler sets itself as proxy when capturing so the traffic should hit Fiddler first but we only see the CONNECT with status 200 and then no response or other traffic.

Interestingly this site: https://groups.google.com/ works with Fiddler running.

[Eric Lawrence]

Interesting.

The most common cause of things like this would be a Fiddler rule or script interfering with the connection. If you share a SAZ file, I could probably eliminate that as an explanation.

The second most common cause would be a problem with certificate generation (see Fiddler's LOG tab to check)

It is, however, possible that you're encountering something more exotic/fun. Does this problem occur if you use Chrome's Incognito mode?

[Marc J. Cawood]

Pretty sure it's not a rule. From the Log it looks like Google doesn't want to talk to/thru Fiddler...

-= Fiddler Event Log =-

See http://fiddler2.com/r/?FiddlerLog for details.

09:39:25:5149 Fiddler Running...

...

09:39:58:3332 fiddler.network.https> HTTPS handshake to www.google.ch (for #71) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

[Marc J. Cawood]

Same problem in incognito. Though different log:

-= Fiddler Event Log =-

See http://fiddler2.com/r/?FiddlerLog for details.

09:43:39:9002 Fiddler Running...

09:43:39:9083 Windows 8+ AppContainer isolation feature detected.

09:43:41:8790 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

09:43:41:8830 Assembly 'C:\Users\U29730\AppData\Local\Programs\Fiddler\CertMaker.dll' was not found. Using default Certificate Generator.

09:43:41:9180 /Fiddler.CertMaker> Using .? +? for certificate generation; UseWildcards=True.

09:43:46:3819 Fiddler.Network.ProtocolViolation - [#6] Extra whitespace found in Request Line

09:43:46:3819 !CrackRequestLine returned 'Extra whitespace found in Request Line'.

** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **  CNT 1 CON 267..C

** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **  ontext: 64dd139f

** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **  a9db4a20..Last-M

...

09:43:46:3819 HTTP Pipelining Client detected; 222 bytes of excess data on client socket for Session #7.

09:43:53:3282 fiddler.network.https> HTTPS handshake to www.google.ch (for #4) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

09:44:03:4307 fiddler.network.https> HTTPS handshake to www.google.ch (for #8) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

09:44:05:0864 HTTPSLint> Warning: ClientHello record was 509 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

[Eric Lawrence]

#interesting.

Inside Tools > Fiddler Options > HTTPS, what tokens are in the Protocols list?

There shouldn't really be anything special about Google here and I use Google sites through Fiddler regularly.

(The thing I was thinking might be the culprit here cannot be, because you're seeing handshake failures which occur before Chrome even has a chance to see the cookies).

[Marc J. Cawood]

<client>;ssl3;tls1.0

[Eric Lawrence]

Hmm... interesting. If you add tls1.2 to that list and restart, is there any change?

If not, I'm afraid that it will be hard to debug this without a packet capture (Wireshark or Netmon) would be pretty hard. To confirm, do you see this if you send a request directly to https://google.com/ via the Composer?

[Marc J. Cawood]

This really is a case for Sherlock Holmes.

Adding tls1.2 did not really help - it's kind of erratic but basically it doesn't work.

My feeling is it has something to do with Geolocation: google.com automagically redirects to google.ch here in Switzerland.

So, if I visit: https://www.google.com/?gfe_rd=cr&dcr=0&gws_rd=cr&fg=1 I am able to search. However Google Groups is not working properly with Fiddler capturing.

Lots of error messages in the Log:

10:02:55:2240 fiddler.network.https> HTTPS handshake to www.googleapis.com (for #93) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

08:11:33:4159 Assembly 'C:\Users\U29730\AppData\Local\Programs\Fiddler\CertMaker.dll' was not found. Using default Certificate Generator.

08:12:08:4240 fiddler.network.https> HTTPS handshake to www.google.ch (for #7) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted

08:12:08:4240 fiddler.network.https> HTTPS handshake to www.google.ch (for #7) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted

Win32 (SChannel) Native Error Code: 0x80090326

08:12:18:1132 fiddler.network.https> HTTPS handshake to ssl.gstatic.com (for #8) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

08:12:18:5441 fiddler.network.https> HTTPS handshake to www.gstatic.com (for #14) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

08:12:23:2582 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

08:12:24:1759 [Fiddler] No HTTPS request was received from (explorer:15272) new client socket, port 53376.

08:12:27:0975 NetworkAddressChanged.

08:12:28:1784 fiddler.network.https> HTTPS handshake to ssl.gstatic.com (for #17) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

08:12:28:5768 fiddler.network.https> HTTPS handshake to www.gstatic.com (for #18) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

08:12:29:1612 NetworkAddressChanged.

[Eric Lawrence]

Geolocation itself isn't the root cause of the issue; the HTTPS handshake happens well away from that. I have no problem talking to www.google.ch via HTTPS.

The message The message received was unexpected or badly formatted is indicative of a lower-level problem inside the Windows SChannel APIs; a Wireshark/NetMon/MessageAnalyzer capture would be the best way to look. 

Which version of Windows was this again? And you're sure that the AV interception stuff is fully disabled?

[Marc J. Cawood]

It's Win10 64bit and SWI is off (though Sophos isn't).

When I call https://google.ch/search?q=test I get no connection though I see a bunch of "CONNECT google.ch:443 HTTP/1.1" with status 200 in the sessions list.

Could it bee that I need to clear the Certs Fiddler is re-using?

-= Fiddler Event Log =-

11:08:27:3117 fiddler.network.https> HTTPS handshake to csi.gstatic.com (for #7) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

11:08:37:4428 fiddler.network.https> HTTPS handshake to csi.gstatic.com (for #1) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

11:08:41:4286 /Fiddler.CertMaker> Invoking CertEnroll for Subject: CN=google.ch, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com; Thread's ApartmentState: MTA

11:08:41:4286 /Fiddler.CertMaker> Reusing PrivateKey for 'google.ch'

11:08:41:6978 /Fiddler.CertMaker> Finished CertEnroll for 'CN=google.ch, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com'. Returning cert

11:08:41:6978 /Fiddler.CertMaker>29 A racing thread already successfully CreatedCert(google.ch)

11:08:51:2880 fiddler.network.https> HTTPS handshake to google.ch (for #3) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

11:08:51:2920 fiddler.network.https> HTTPS handshake to google.ch (for #2) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

11:09:01:4240 fiddler.network.https> HTTPS handshake to google.ch (for #4) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

11:09:11:6865 fiddler.network.https> HTTPS handshake to google.ch (for #5) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

[Eric Lawrence]

> When I call https://google.ch/search?q=test I get no connection though I see a 

> bunch of "CONNECT google.ch:443 HTTP/1.1" with status 200 in the sessions list.

> Could it bee that I need to clear the Certs Fiddler is re-using?

If you're using Fiddler's Composer, then Fiddler's certificates don't come into play at all. 

The CONNECT tunnels you see when you use the Composer are when Fiddler is talking to your Corporate Proxy. Does your environment require all traffic to go through that proxy? If not, it would be interesting to turn off chaining to the upstream Gateway in Fiddler to see if the problem goes away.