issue decrypting traffis X-NO-DECRYPT: PeekYieldedUnknownProtocol

219 views
Skip to first unread message

Roger Payne

unread,
May 11, 2017, 10:47:56 AM5/11/17
to Fiddler
Having an issue with decrypting some traffic. i can send a saz file to a email but i dont want to post it online. 




This is a CONNECT tunnel, through which encrypted HTTPS traffic flows.
Fiddler's HTTPS Decryption feature is enabled, but this specific tunnel was configured not to be decrypted.  Session Flag 'X-No-Decrypt' was set to: 'PeekYieldedUnknownProtocol'.

A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.

Version: 3.1 (TLS/1.0)
SessionID: E5 67 67 26 0C 9A 79 4A 88 CE CC 9D 4B 0E 8E 0D
Random: 59 14 75 79 EF DE 25 12 14 2F A2 B7 8F 3E C0 82 8C E6 B0 4D F4 06 DA C3 A0 1F 84 18 AF F8 7C 56
Cipher: TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA [0xC014]
CompressionSuite: NO_COMPRESSION [0x00]
Extensions:
ec_point_formats uncompressed [0x0], ansiX962_compressed_prime [0x1], ansiX962_compressed_char2  [0x2]
server_name empty
renegotiation_info 00




SESSION STATE: Done.
Request Entity Size: 80 bytes.
Response Entity Size: 790 bytes.

== FLAGS ==================
BitFlags: [ResponseGeneratedByFiddler, IsBlindTunnel] 0x1100
HTTPS-SERVER-CIPHER: TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
HTTPS-SERVER-SESSIONID: E5 67 67 26 0C 9A 79 4A 88 CE CC 9D 4B 0E 8E 0D
X-CLIENTIP: 10.231.168.224
X-CLIENTPORT: 40405
X-CONNECT-PEEK: 43-4F-4E-4E-45-43-54-20-75-6E-6B-6E-6F-77-6E-3A
X-EGRESSPORT: 59116
X-HOSTIP: xxx.xxx.xxx.xxx
X-NO-DECRYPT: PeekYieldedUnknownProtocol
X-RESPONSEBODYTRANSFERLENGTH: 0

== TIMING INFO ============
ClientConnected: 11:30:16.573
ClientBeginRequest: 11:30:16.599
GotRequestHeaders: 11:30:16.599
ClientDoneRequest: 11:30:16.599
Determine Gateway: 0ms
DNS Lookup: 0ms
TCP/IP Connect: 98ms
HTTPS Handshake: 0ms
ServerConnected: 11:30:16.698
FiddlerBeginRequest: 11:30:16.698
ServerGotRequest: 11:30:16.698
ServerBeginResponse: 00:00:00.000
GotResponseHeaders: 00:00:00.000
ServerDoneResponse: 11:30:38.148
ClientBeginResponse: 11:30:38.148
ClientDoneResponse: 11:30:38.148

Overall Elapsed: 0:00:21.549

The response was buffered before delivery to the client.

== WININET CACHE INFO ============
This URL is not present in the WinINET cache. [Code: 2]
* Note: Data above shows WinINET's current cache state, not the state at the time of the request.
* Note: Data above shows WinINET's Medium Integrity (non-Protected Mode) cache only.



Roger Payne

unread,
May 11, 2017, 11:09:20 AM5/11/17
to Fiddler
Forgot to post the Fiddler Log Tab

11:46:17:7827 Fiddler Running...
11:46:17:7837 Setting upstream gateway to none
11:46:17:7837 CertInspector Checking for updates to FiddlerCert Inspector.
11:46:17:7837 CertInspector Latest version detected: v1.0.9.0
11:46:17:8686 Windows 8+ AppContainer isolation feature detected.
11:46:19:3436 FiddlerCert Inspector: Current version is 1.0.9.0, latest version is 1.0.9.0.
11:46:24:0645 FiddlerCert Inspector: Current version is 1.0.9.0, latest version is 1.0.9.0.
11:47:07:5333 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
11:52:02:8318 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
11:52:27:2750 Fiddler ICertificateProvider v1.5.1.1 loaded.
fiddler.certmaker.bc.Debug: False
ObjectID: 0x3bd5037
11:59:09:1536 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
12:02:08:4666 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
12:02:15:8668 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
12:07:15:8503 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance




Eric Lawrence

unread,
May 11, 2017, 12:21:44 PM5/11/17
to Fiddler
"PeekYieldedUnknownProtocol" means that the raw bytes first sent through the CONNECT tunnel did not represent a HTTPS ClientHello handshake, so Fiddler decided that maybe it was some other sort of traffic that was just using a CONNECT tunnel for its own needs. That would happen if you used FTP through a CONNECT tunnel, for instance. Feel free to email me a SAZ file ( bayden @ gmail ) and I'll have a look.
Reply all
Reply to author
Forward
0 new messages