No google with Fiddler

308 views
Skip to first unread message

Marc J. Cawood

unread,
Sep 20, 2017, 3:59:46 AM9/20/17
to Fiddler
Recently I started having problems accessing google.com when Fiddler is capturing. No traffic appears in Fiddler and google just times out after about 30s with "ERR_CONNECTION_REFUSED.

I don't have this problem with any other HTTPS site, just google.com, google.ch.

Browser is Chrome 58 and we do have a corporate proxy and Sophos Web Intelligence is installed but stopped.....

As I understand it Fiddler sets itself as proxy when capturing so the traffic should hit Fiddler first but we only see the CONNECT with status 200 and then no response or other traffic.

Interestingly this site: https://groups.google.com/ works with Fiddler running.
google.png

Eric Lawrence

unread,
Sep 23, 2017, 2:00:45 PM9/23/17
to Fiddler
Interesting.

The most common cause of things like this would be a Fiddler rule or script interfering with the connection. If you share a SAZ file, I could probably eliminate that as an explanation.

The second most common cause would be a problem with certificate generation (see Fiddler's LOG tab to check)

It is, however, possible that you're encountering something more exotic/fun. Does this problem occur if you use Chrome's Incognito mode?

Marc J. Cawood

unread,
Sep 25, 2017, 3:43:21 AM9/25/17
to Fiddler
Pretty sure it's not a rule. From the Log it looks like Google doesn't want to talk to/thru Fiddler...

-= Fiddler Event Log =-

09:39:25:5149 Fiddler Running...
...
09:39:58:3332 fiddler.network.https> HTTPS handshake to www.google.ch (for #71) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.

Marc J. Cawood

unread,
Sep 25, 2017, 3:46:11 AM9/25/17
to Fiddler
Same problem in incognito. Though different log:

-= Fiddler Event Log =-

09:43:39:9002 Fiddler Running...
09:43:39:9083 Windows 8+ AppContainer isolation feature detected.
09:43:41:8790 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
09:43:41:8830 Assembly 'C:\Users\U29730\AppData\Local\Programs\Fiddler\CertMaker.dll' was not found. Using default Certificate Generator.
09:43:41:9180 /Fiddler.CertMaker> Using .? +? for certificate generation; UseWildcards=True.
09:43:46:3819 Fiddler.Network.ProtocolViolation - [#6] Extra whitespace found in Request Line
09:43:46:3819 !CrackRequestLine returned 'Extra whitespace found in Request Line'.
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **  CNT 1 CON 267..C
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **  ontext: 64dd139f
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **  a9db4a20..Last-M
...

09:43:46:3819 HTTP Pipelining Client detected; 222 bytes of excess data on client socket for Session #7.
09:43:53:3282 fiddler.network.https> HTTPS handshake to www.google.ch (for #4) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


09:44:03:4307 fiddler.network.https> HTTPS handshake to www.google.ch (for #8) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


09:44:05:0864 HTTPSLint> Warning: ClientHello record was 509 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

Eric Lawrence

unread,
Sep 25, 2017, 4:15:54 PM9/25/17
to Fiddler
#interesting.

Inside Tools > Fiddler Options > HTTPS, what tokens are in the Protocols list?

There shouldn't really be anything special about Google here and I use Google sites through Fiddler regularly.

(The thing I was thinking might be the culprit here cannot be, because you're seeing handshake failures which occur before Chrome even has a chance to see the cookies).

Marc J. Cawood

unread,
Sep 26, 2017, 5:01:07 AM9/26/17
to Fiddler
<client>;ssl3;tls1.0

Eric Lawrence

unread,
Sep 27, 2017, 12:28:26 PM9/27/17
to Fiddler
Hmm... interesting. If you add tls1.2 to that list and restart, is there any change?

If not, I'm afraid that it will be hard to debug this without a packet capture (Wireshark or Netmon) would be pretty hard. To confirm, do you see this if you send a request directly to https://google.com/ via the Composer?

Marc J. Cawood

unread,
Sep 28, 2017, 4:10:25 AM9/28/17
to Fiddler
This really is a case for Sherlock Holmes.
Adding tls1.2 did not really help - it's kind of erratic but basically it doesn't work.

My feeling is it has something to do with Geolocation: google.com automagically redirects to google.ch here in Switzerland.

So, if I visit: https://www.google.com/?gfe_rd=cr&dcr=0&gws_rd=cr&fg=1 I am able to search. However Google Groups is not working properly with Fiddler capturing.

Lots of error messages in the Log:

10:02:55:2240 fiddler.network.https> HTTPS handshake to www.googleapis.com (for #93) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


08:11:33:4159 Assembly 'C:\Users\U29730\AppData\Local\Programs\Fiddler\CertMaker.dll' was not found. Using default Certificate Generator.


08:12:08:4240 fiddler.network.https> HTTPS handshake to www.google.ch (for #7) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted



08:12:08:4240 fiddler.network.https> HTTPS handshake to www.google.ch (for #7) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted

Win32 (SChannel) Native Error Code: 0x80090326
08:12:18:1132 fiddler.network.https> HTTPS handshake to ssl.gstatic.com (for #8) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


08:12:18:5441 fiddler.network.https> HTTPS handshake to www.gstatic.com (for #14) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


08:12:23:2582 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
08:12:24:1759 [Fiddler] No HTTPS request was received from (explorer:15272) new client socket, port 53376.
08:12:27:0975 NetworkAddressChanged.
08:12:28:1784 fiddler.network.https> HTTPS handshake to ssl.gstatic.com (for #17) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


08:12:28:5768 fiddler.network.https> HTTPS handshake to www.gstatic.com (for #18) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


08:12:29:1612 NetworkAddressChanged.

Eric Lawrence

unread,
Sep 28, 2017, 4:19:50 PM9/28/17
to Fiddler
Geolocation itself isn't the root cause of the issue; the HTTPS handshake happens well away from that. I have no problem talking to www.google.ch via HTTPS.

The message The message received was unexpected or badly formatted is indicative of a lower-level problem inside the Windows SChannel APIs; a Wireshark/NetMon/MessageAnalyzer capture would be the best way to look. 

Which version of Windows was this again? And you're sure that the AV interception stuff is fully disabled?


Marc J. Cawood

unread,
Sep 29, 2017, 5:11:04 AM9/29/17
to Fiddler
It's Win10 64bit and SWI is off (though Sophos isn't).

When I call https://google.ch/search?q=test I get no connection though I see a bunch of "CONNECT google.ch:443 HTTP/1.1" with status 200 in the sessions list.

Could it bee that I need to clear the Certs Fiddler is re-using?



-= Fiddler Event Log =-

11:08:27:3117 fiddler.network.https> HTTPS handshake to csi.gstatic.com (for #7) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


11:08:37:4428 fiddler.network.https> HTTPS handshake to csi.gstatic.com (for #1) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


11:08:41:4286 /Fiddler.CertMaker> Invoking CertEnroll for Subject: CN=google.ch, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com; Thread's ApartmentState: MTA
11:08:41:4286 /Fiddler.CertMaker> Reusing PrivateKey for 'google.ch'
11:08:41:6978 /Fiddler.CertMaker> Finished CertEnroll for 'CN=google.ch, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com'. Returning cert
11:08:41:6978 /Fiddler.CertMaker>29 A racing thread already successfully CreatedCert(google.ch)
11:08:51:2880 fiddler.network.https> HTTPS handshake to google.ch (for #3) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


11:08:51:2920 fiddler.network.https> HTTPS handshake to google.ch (for #2) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


11:09:01:4240 fiddler.network.https> HTTPS handshake to google.ch (for #4) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


11:09:11:6865 fiddler.network.https> HTTPS handshake to google.ch (for #5) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


Eric Lawrence

unread,
Sep 29, 2017, 1:12:32 PM9/29/17
to Fiddler
> When I call https://google.ch/search?q=test I get no connection though I see a 
> bunch of "CONNECT google.ch:443 HTTP/1.1" with status 200 in the sessions list.
> Could it bee that I need to clear the Certs Fiddler is re-using?

If you're using Fiddler's Composer, then Fiddler's certificates don't come into play at all. 

The CONNECT tunnels you see when you use the Composer are when Fiddler is talking to your Corporate Proxy. Does your environment require all traffic to go through that proxy? If not, it would be interesting to turn off chaining to the upstream Gateway in Fiddler to see if the problem goes away.

ALIM MUSARAJ

unread,
Dec 19, 2023, 3:36:16 PM12/19/23
to Fiddler

MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER

Thanks.


NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.

DM ME ON WHATSAPP
+44 7405 896213
Reply all
Reply to author
Forward
0 new messages