Unable to decrypt HTTPS traffic

[ManoAnto]

Hi, 

Since last two days my fiddler is not decrypting https traffic (on local machine as well as remote machines). It was working fine and all of a sudden I see only the "tunnel to" entry in Web Requests for https traffic.

I tried reinstalling fiddler and Cert Maker for iOS/Android and enabled HTTPS decryption.

I was using Fiddler4 when it worked fine, then I tried reinstalling Fiddler2 and also Fiddler4, but no luck.

I'm seeing the below error in Log tab.

13:50:28:1521 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

13:50:28:1751 Fiddler.BCCertMaker> Failed to create certificate for www.google.co.uk: An internal error occurred.

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)

   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)

   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)

   at BCCertMaker.BCCertMaker.ConvertBCPrivateKeyToDotNet(RsaPrivateCrtKeyParameters bcPVK, String sKeyName)

   at BCCertMaker.BCCertMaker.CreateCertificateFromCA(String sCN, X509Certificate caCert, AsymmetricKeyParameter caKey)

   at BCCertMaker.BCCertMaker.MakeNewCert(String sHostname)

13:50:28:1751 fiddler.https> Failed to obtain certificate for www.google.co.uk due to Certificate Maker returned null when asked for a certificate for www.google.co.uk

Here is the text from TextView tab:

This is a CONNECT tunnel, through which encrypted HTTPS traffic flows.

Fiddler's HTTPS Decryption feature is enabled, but this specific tunnel was configured not to be decrypted. Settings can be found inside Tools > Fiddler Options > HTTPS.

A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.

Version: 3.3 (TLS/1.2)

SessionID: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX

Random: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX

Cipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 [0xCC13]

CompressionSuite: NO_COMPRESSION [0x00]

Extensions:

renegotiation_info 00

channel_id(GoogleDraft) empty

ALPN spdy/3.1; 

I'm not too technical guy, so any simple steps to follow will be really appreciated

Thanks in advance for looking into this

Cheers!

[EricLaw]

The error message in question indicates that the Windows Crypto APIs are failing to store the private key of the certificate.

You may wish to look through this: https://groups.google.com/forum/#!searchin/httpfiddler/crypto$20rsa/httpfiddler/TIAHpFLMx-U/j_99RRCFLGUJ

[ManoAnto]

Thanks a lot EricLaw. 

You spotted the issue. When I removed the Fiddler file, it worked perfect. :)

[George Ioakimedes]

I'm having a similar problem. When I have Fiddler open and try to open a HTTPS site the site fails to load and I see this in the log:

-= Fiddler Event Log =-

See http://fiddler2.com/r/?FiddlerLog for details.

17:31:18:1252 Fiddler Running...

17:31:30:9590 !SecureClientPipeDirect failed: System.ComponentModel.Win32Exception The credentials supplied to the package were not recognized on pipe to (CN=groups.google.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)

17:31:31:0080 !SecureClientPipeDirect failed: System.ComponentModel.Win32Exception The credentials supplied to the package were not recognized on pipe to (CN=groups.google.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)

17:31:31:0590 !SecureClientPipeDirect failed: System.ComponentModel.Win32Exception The credentials supplied to the package were not recognized on pipe to (CN=groups.google.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)

17:31:31:1070 !SecureClientPipeDirect failed: System.ComponentModel.Win32Exception The credentials supplied to the package were not recognized on pipe to (CN=groups.google.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)

17:31:44:7268 fiddler.network.https> HTTPS handshake to XXXXXXXX.com failed. System.IO.IOException Received an unexpected EOF or 0 bytes from the transport stream.

17:32:02:0187 !SecureClientPipeDirect failed: System.ComponentModel.Win32Exception The credentials supplied to the package were not recognized on pipe to (CN=groups.google.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)

17:32:02:1338 !SecureClientPipeDirect failed: System.ComponentModel.Win32Exception The credentials supplied to the package were not recognized on pipe to (CN=groups.google.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)

17:32:02:1828 !SecureClientPipeDirect failed: System.ComponentModel.Win32Exception The credentials supplied to the package were not recognized on pipe to (CN=groups.google.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)

17:32:02:2558 !SecureClientPipeDirect failed: System.ComponentModel.Win32Exception The credentials supplied to the package were not recognized on pipe to (CN=groups.google.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)

I deleted the files mentioned in that other post but that didn't seem to fix my problem.

Does anyone have any other ideas?

[EricLaw]

Hi, George-- Your issue is unrelated.

Your issue typically occurs when a 3rd party encryption package (typically Entrust) is installed: https://groups.google.com/forum/#!searchin/httpfiddler/entrust/httpfiddler/sb4eK2_PYQY/Q0aznayfmyMJ