Fiddler Root Cert on Android

[Alessandro Ballini]

Hello,

I have installed the Fiddler Root Certificate on my iPhone and everything works fine with HTTPS.

I also have an Android 2.3.6 and I can't seem to be able to have the Fiddler cert work for HTTPS. I have tried to install it from the "Install from storage" entry of the menu and it doesn't seem to recognise the cert that is on the SD. I also installed an app named "Certificate Installer" and it's not installing the certificate ("No certificate to install").

I have managed to install the certificate going with the brower to http://localhost:8888 and I have enabled the use of personal certificates on Android, on the phone settings.

Anyway, even in this case, if I go to a HTTPS site with Fiddler enabled, the browser complains about the certificate authenticity and if I try an app that is using HTTPS, it breaks.

Is anybody able to help?

Thanks in advance

[EricLaw]

Without more details, it will be difficult to help you.

What is the exact message shown by the browser?

Have you installed the Fiddler Certificate Generation plugin?

[Alessandro Ballini]

I have installed the CertMaker plugin, the same certificate works fine when installed on the iPhone.

The Android default browser states something like (I am translating from Italian): "Problems with the security certificate of this site: the name of this site does not match with with name on the certificate".

The app I should debug does not work, it only crashes logging some error about the SSL.

[EricLaw]

How are you configuring the Android device to proxy its traffic?

[Alessandro Ballini]

Yes, I'm using ProxyDroid and, when the browser complains about the certificate not matching the URL, I have a button to "View certificate" and I can see the certificate is the Fiddler's one.

Anyway if I have installed the Fiddler root certificate from the link on the page http://XXX:8888, I expect it to be trusted, no matter which site I browse.

The matter is: I clicked on the link to install the Fiddler certificate and it said "installed", but I have no way on Android to see the list of trusted certificates, so I'm not sure that operation went very well. I think the Fiddler certificate is not being correctly installed/accepted/trusted on Android.

[EricLaw]

>I expect it to be trusted, no matter which site I browse

That expectation reflects a misunderstanding of how certificates are used.

When you say "is the Fiddler's one" what exactly do you mean by that? Fiddler generates a new certificate for every single site you visit.

What exactly (send a screenshot of the Request HEADERS inspector) does the CONNECT coming from the client look like in Fiddler?

[Alessandro Ballini]

When I click "view certificate" it says "DO NOT TRUST Fiddler bla bla bla"

[Alessandro Ballini]

I will send the connect tomorrow.

[EricLaw]

All of the exact text is what I'm looking for.

[Alessandro Ballini]

I tried visiting a bank website which homepage goes over HTTPS with the default "Internet" browser.

Request:

CONNECT 194.149.233.101:443 HTTP/1.0

Host: 194.149.233.101:443

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Version: 3.1 (TLS/1.0)

Random: 54 20 B1 DE 2D D0 CA 13 3E 29 78 0F F1 C9 D8 DD 72 3A 81 3E AA E1 98 3D 8E BC EF 65 F9 1A 2B F7

"Time": 23/05/2088 13:28:20

SessionID: empty

Extensions: 

none

Ciphers: 

[0004] SSL_RSA_WITH_RC4_128_MD5

[0005] SSL_RSA_WITH_RC4_128_SHA

[002F] TLS_RSA_AES_128_SHA

[0033] TLS_DHE_RSA_WITH_AES_128_SHA

[0032] TLS_DHE_DSS_WITH_AES_128_SHA

[000A] SSL_RSA_WITH_3DES_EDE_SHA

[0016] SSL_DHE_RSA_WITH_3DES_EDE_SHA

[0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA

[0009] SSL_RSA_WITH_DES_SHA

[0015] SSL_DHE_RSA_WITH_DES_SHA

[0012] SSL_DHE_DSS_WITH_DES_SHA

[0003] SSL_RSA_EXPORT_WITH_RC4_40_MD5

[0008] SSL_RSA_EXPORT_WITH_DES40_SHA

[0014] SSL_DHE_RSA_EXPORT_WITH_DES40_SHA

[0011] SSL_DHE_DSS_EXPORT_WITH_DES40_SHA

[00FF] TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Compression: 

[00] NO_COMPRESSION

Response:

HTTP/1.0 200 Connection Established

FiddlerGateway: Direct

StartTime: 18:04:27.016

Connection: close

Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.

Secure Protocol: Tls

Cipher: Rc4 128bits

Hash Algorithm: Sha1 160bits

Key Exchange: RsaKeyX 2048bits

== Server Certificate ==========

[Subject]

  CN=msite.unicredit.it, OU=Unicredit Business Integrated Solutions, O=Unicredit S.p.A., L=Milano, S=Milano, C=IT

[Issuer]

  CN=UniCredit Subordinate External, O=UniCredit S.p.A., C=IT

[Serial Number]

  4E0967CF000000000582

[Not Before]

  25/09/2014 17:30:23

[Not After]

  25/09/2015 17:30:23

[Thumbprint]

  C7E3A19D7442104ACE04C09B8B6CE649C680B140

Behaviour on the phone:

Security warning

There are problems with the security certificate of this site.

The name of this site does not match with the name on the certificate.

View certificate button ->

Released to:

Common name: 194.149.233.101

Organisation: DO_NOT_TRUST_BC

Organisation OU: Created by http://www.fiddler2.com

Released by:

Common name: DO_NOT_TRUST_FiddlerRoot

Organisation: DO_NOT_TRUST_BC

Organisation OU: Created by http://www.fiddler2.com

Released on the 20/09/2014

Expiring on the 27/09/2024

If I hit the "Continue" button, the website is displayed and I can see the traffic on Fiddler.

Anyway, what I am trying to do is debug an app and it's stopping/crashing when I use Fiddler to intercept its traffic, I guess because of the security warning. That same app is working fine on iOS with Fiddler with the same FiddlerRoot certificate installed on the device.

Thanks

[Alessandro Ballini]

I have just tried with another Android phone and everything works as expected.

Why can't I have Fiddler working correctly with my phone? :(

[EricLaw]

The problem is here:

    CONNECT 194.149.233.101:443 HTTP/1.0

Whatever your device is using to force data to go through the proxy is not setting the proper value in the target of the CONNECT, and thus it sends along an IP address instead of the hostname of the target site. This causes Fiddler to generate a certificate containing the IP address rather than the expected hostname, and you get the certificate name mismatch error.

Unfortunately, your Android version appears to be too old to send the proper ServerNameIndicator TLS extension, which means you cannot use the SetCNFromSNI preference. You should, however, be able to work around the problem using the simple script here: https://groups.google.com/d/msg/httpfiddler/hvsDR14j1Lg/hE7acHdc2nYJ