Re: Using Fiddler to redirect all requests to another server - Problems with HTTPS tunnels.

[EricLaw]

Most mobile platforms (Android/iOS/etc) will silently fail a HTTPS connection if the target certificate is invalid (e.g. the hostname mentioned in the certificate doesn't match the expected value from the request URL).

 

Have you configured Fiddler to decrypt HTTPS traffic using Tools > Fiddler Options > Advanced? Have you tried using the Tools > HOSTS feature instead of writing script?

[EricLaw]

There's nothing that Fiddler's HOSTS feature does that can't be done via scripting-- I merely wanted to verify that this feature was working correctly to help point you in the right direction.

 

How is your Android client sending its traffic to Fiddler? Did you change the proxy settings on the device itself, or did you have to use IPTables or another approach?

 

To ensure that Fiddler generates the expected certificate, you can put this block in your script

 

 

if (oS.HTTPMethodIs("CONNECT")

    && (oS.PathAndQuery ==  "server-a.host.com:443"))

{  

  oS["OriginalHost"] = oS.PathAndQuery;
  oS.PathAndQuery =  "server-g.host.com:443"; 
}
 
if (oS.HostnameIs("server-a.host.com")) oS.hostname =  "server-g.host.com";

// If it's an HTTPS tunnel, override the certificate
if (oS.HTTPMethodIs("CONNECT") && (null != oS["OriginalHost"]))
{
   oS["x-overrideCertCN"] = oS["OriginalHost"];

   oS["X-IgnoreCertCNMismatch"] = "Server's hostname may not match what we're expecting...";
}
oS.bypassGateway = true;

[Alex Miller]

I have changed the proxy settings on the device itself to point through Fiddler.  I implemented the above block into my script but I am not seeing any difference in behavior, the tunnels are still failing to resolve.  The following pops up in my Fiddler logs for every attempted tunnel:

No HTTPS request was received from () new client socket, port XXXXX

Where XXXXX is some port number.  It appears to change every request.

I threw a breakpoint into the code and confirmed that on HTTPS tunnel requests it was entering the oS["x-overrideCertCN"] block of code, but the tunnels still seem to be rejected by the device for some reason.

[EricLaw]

Let's step back a bit-- how did you configure the device to trust the Fiddler root certificate?

[Alex Miller]

I am installing it by exporting the root certificate to my desktop, then placing that in the root directory of the Android device.  I then go to Settings->Security->Install From Storage.  After doing this I am able to decode HTTPS calls from different applications, including the one which needs to be redirected.

[EricLaw]

...And you're not receiving any HTTPS errors on the client when intercepting HTTPS traffic with Fiddler without your code in place?

 

Can you copy/paste the entire block of code you're using?

[Alex Miller]

Correct.  When the server-switching code is not active (by unchecking the menu item that is linked up) I can see all the HTTPS tunnels and calls being made.  The decryption works without any issue and I can utilize auto-responder on them just fine.  I also have other code that, when enabled, alters part of the HTTPS response that also works without issue.  It is only this host switching one and only for HTTPS tunnels.

I have pasted the full FiddlerScript.js here: http://pastebin.com/GENUsgk7

The hostnames have been changed but the logic itself is all in place.  There are two parameters that I added.  m_DisableList forces code to be called in OnBeforeResponse to modify HTTPS calls.  This code works exactly as it should when called.  m_PointToGamma forces code to be called in OnBeforeRequest to redirect all calls including tunnels.  This is the code with issues (around line 159).

Thanks for the help.

[EricLaw]

Sorry, my mistake. The problem is here:

 

  oSession.oFlags["x-OverrideCertCN"] = oSession.oFlags["OriginalHost"];

 

The value we stuck in the OriginalHost variable is e.g. "example.com:443" when what we want in the certificate is just  "example.com".

 

The simplest way to fix it is to change the script like so:

 

if (oS.HTTPMethodIs("CONNECT")

    && (oS.PathAndQuery ==  "server-a.host.com:443"))

{  

  oS["OriginalHostname"] = oS.hostname;

  oS.PathAndQuery =  "server-g.host.com:443"; 
}
 
if (oS.HostnameIs("server-a.host.com")) oS.hostname =  "server-g.host.com";

// If it's an HTTPS tunnel, override the certificate

if (oS.HTTPMethodIs("CONNECT") && (null != oS["OriginalHostname"]))
{
   oS["x-overrideCertCN"] = oS["OriginalHostname"];

[Alex Miller]

Awesome, that fixed it.  It now works perfectly, exactly like the HOSTS file.

Thanks again for the quick help.