fiddler suddenly cannot capture https traffic(http is ok)

[Liangbin Dai]

Hi ：

   I use fiddler for a long time,but today I just found the fiddler cannot capture https again(which is ok before)

   The system is window7（bit 64） ,and fiddler version is v4.6.20173.38786

    The https request comes from app (android/ios),but both android and ios client are not ok , I cannot find a session which protocol is https,but the app shows the correct data,but the data comes from the https traffic(I promise),I donot know what is the reason.I can provider you some data ...And I did the following

    1. I update the fiddler to the lastest version , but it still doest not work.

    2.I found the lastest fiddler is ok for http connection ,https is not ok. 

    I guess maybe the anti-virus software symantec results this？which I install yesterday？Please help me，thank you

    

The log is 

-= Fiddler Event Log =-

16:03:21:3171 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

16:03:21:6071 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

16:03:22:2702 Fiddler.Network.ProtocolViolation - [#10] The Request's Host header did not match the URL's host component.

URL Host: 61.135.185.33

Header Host: loc.map.baidu.com

16:03:25:6894 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

16:03:26:5134 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

16:04:12:7551 !Cannot decode HTTP response using Content-Encoding: rc4

16:04:13:0531 !Cannot decode HTTP response using Content-Encoding: rc4

16:08:03:8423 Fiddler.Network.ProtocolViolation - [#42] Incorrectly formed Request-Line. abs_path was empty (e.g. missing /). RFC2616 Section 5.1.2

16:08:08:6816 Fiddler.Network.ProtocolViolation - [#47] Incorrectly formed Request-Line. abs_path was empty (e.g. missing /). RFC2616 Section 5.1.2

16:08:10:1896 Fiddler.Network.ProtocolViolation - [#51] Incorrectly formed Request-Line. abs_path was empty (e.g. missing /). RFC2616 Section 5.1.2

16:08:13:2658 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

16:08:18:1621 Fiddler.Network.ProtocolViolation - [#55] Incorrectly formed Request-Line. abs_path was empty (e.g. missing /). RFC2616 Section 5.1.2

16:09:44:7061 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

16:10:07:3874 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

and the request session is in attachment 

and the session properties is 

SESSION STATE: Done.

Request Entity Size: 1225 bytes.

Response Entity Size: 752 bytes.

== FLAGS ==================

BitFlags: [ResponseGeneratedByFiddler, IsBlindTunnel] 0x1100

HTTPS-CLIENT-SESSIONID: empty

HTTPS-CLIENT-SNIHOSTNAME: creditlife.yirendai.com

HTTPS-SERVER-CIPHER: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

HTTPS-SERVER-SESSIONID: empty

UI-BOLD: user-marked

UI-COLOR: Red

UI-OLDCOLOR: Gray

X-CLIENTIP: 192.168.191.4

X-CLIENTPORT: 53510

X-EGRESSPORT: 58728

X-HOSTIP: 101.254.100.60

X-RESPONSEBODYTRANSFERLENGTH: 0

== TIMING INFO ============

ClientConnected: 16:03:16.177

ClientBeginRequest: 16:03:16.179

GotRequestHeaders: 16:03:16.179

ClientDoneRequest: 16:03:16.179

Determine Gateway: 0ms

DNS Lookup: 0ms

TCP/IP Connect: 4ms

HTTPS Handshake: 0ms

ServerConnected: 16:03:16.183

FiddlerBeginRequest: 16:03:16.183

ServerGotRequest: 16:03:16.183

ServerBeginResponse: 00:00:00.000

GotResponseHeaders: 00:00:00.000

ServerDoneResponse: 16:06:23.016

ClientBeginResponse: 16:06:23.016

ClientDoneResponse: 16:06:23.016

Overall Elapsed: 0:03:06.836

The response was buffered before delivery to the client.

== WININET CACHE INFO ============

This URL is not present in the WinINET cache. [Code: 2]

* Note: Data above shows WinINET's current cache state, not the state at the time of the request.

* Note: Data above shows WinINET's Medium Integrity (non-Protected Mode) cache only.

SESSION STATE: Done.

Request Entity Size: 2192 bytes.

Response Entity Size: 695 bytes.

== FLAGS ==================

BitFlags: [ResponseGeneratedByFiddler, IsBlindTunnel] 0x1100

HTTPS-CLIENT-SESSIONID: 22 52 2A 8D 72 8D 55 CE 5F E3 A6 57 C8 34 FE 2D A6 29 A4 E5 E0 33 FB 4C 38 03 D2 AF 20 BE FA CC

HTTPS-CLIENT-SNIHOSTNAME: creditlife.yirendai.com

HTTPS-SERVER-CIPHER: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

HTTPS-SERVER-SESSIONID: 22 52 2A 8D 72 8D 55 CE 5F E3 A6 57 C8 34 FE 2D A6 29 A4 E5 E0 33 FB 4C 38 03 D2 AF 20 BE FA CC

UI-BOLD: user-marked

UI-COLOR: Red

UI-OLDCOLOR: Gray

X-CLIENTIP: 192.168.191.4

X-CLIENTPORT: 53518

X-EGRESSPORT: 58731

X-HOSTIP: 101.254.100.60

X-RESPONSEBODYTRANSFERLENGTH: 0

== TIMING INFO ============

ClientConnected: 16:03:21.100

ClientBeginRequest: 16:03:21.308

GotRequestHeaders: 16:03:21.308

ClientDoneRequest: 16:03:21.308

Determine Gateway: 0ms

DNS Lookup: 0ms

TCP/IP Connect: 4ms

HTTPS Handshake: 0ms

ServerConnected: 16:03:21.313

FiddlerBeginRequest: 16:03:21.313

ServerGotRequest: 16:03:21.313

ServerBeginResponse: 00:00:00.000

GotResponseHeaders: 00:00:00.000

ServerDoneResponse: 16:03:27.134

ClientBeginResponse: 16:03:27.134

ClientDoneResponse: 16:03:27.134

Overall Elapsed: 0:00:05.826

The response was buffered before delivery to the client.

== WININET CACHE INFO ============

This URL is not present in the WinINET cache. [Code: 2]

* Note: Data above shows WinINET's current cache state, not the state at the time of the request.

* Note: Data above shows WinINET's Medium Integrity (non-Protected Mode) cache only.

SESSION STATE: Done.

Request Entity Size: 2193 bytes.

Response Entity Size: 695 bytes.

== FLAGS ==================

BitFlags: [ResponseGeneratedByFiddler, IsBlindTunnel] 0x1100

HTTPS-CLIENT-SESSIONID: 22 52 2A 8D 72 8D 55 CE 5F E3 A6 57 C8 34 FE 2D A6 29 A4 E5 E0 33 FB 4C 38 03 D2 AF 20 BE FA CC

HTTPS-CLIENT-SNIHOSTNAME: creditlife.yirendai.com

HTTPS-SERVER-CIPHER: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

HTTPS-SERVER-SESSIONID: 22 52 2A 8D 72 8D 55 CE 5F E3 A6 57 C8 34 FE 2D A6 29 A4 E5 E0 33 FB 4C 38 03 D2 AF 20 BE FA CC

UI-BOLD: user-marked

UI-COLOR: Red

UI-OLDCOLOR: Gray

X-CLIENTIP: 192.168.191.4

X-CLIENTPORT: 53524

X-EGRESSPORT: 58732

X-HOSTIP: 101.254.100.60

X-RESPONSEBODYTRANSFERLENGTH: 0

== TIMING INFO ============

ClientConnected: 16:03:21.599

ClientBeginRequest: 16:03:21.599

GotRequestHeaders: 16:03:21.599

ClientDoneRequest: 16:03:21.599

Determine Gateway: 16ms

DNS Lookup: 0ms

TCP/IP Connect: 4ms

HTTPS Handshake: 0ms

ServerConnected: 16:03:21.604

FiddlerBeginRequest: 16:03:21.604

ServerGotRequest: 16:03:21.604

ServerBeginResponse: 00:00:00.000

GotResponseHeaders: 00:00:00.000

ServerDoneResponse: 16:06:22.058

ClientBeginResponse: 16:06:22.058

ClientDoneResponse: 16:06:22.058

Overall Elapsed: 0:03:00.459

The response was buffered before delivery to the client.

== WININET CACHE INFO ============

This URL is not present in the WinINET cache. [Code: 2]

* Note: Data above shows WinINET's current cache state, not the state at the time of the request.

* Note: Data above shows WinINET's Medium Integrity (non-Protected Mode) cache only.

The https configigration is 

[Eric Lawrence]

Please untick the "Ignore server certificate errors" checkbox unless you absolutely need it; that's a very unsafe setting.

The text in the 4_Full.txt file is important: "Fiddler's HTTPS Decryption feature is enabled, but this specific tunnel was configured not to be decrypted. Settings can be found inside Tools > Options > HTTPS."

In the screenshot, you have a rule that says "Perform decryption only for the following hosts... *bee*;". This is a problem for two reasons:

1. Fiddler does not accept trailing stars in host matching rules (making *bee* illegal), and

2. The hostname creditlife.yirendai.com would not have matched *bee anyway

If you clear this box, the problem should go away.

[Liangbin Dai]

yes ，it is ok now. thank you  very much,Lawrence.

And I want to know what the settings for https means , I dont find the detail information ?eg:is it necessary to download cert file every time when I change the computer? and the "Ignore server certificate errors" box means ?

[Eric Lawrence]

"Ignore server certificate errors" means that Fiddler won't complain if the server sends a certificate not valid for the connection. This is dangerous because it means an attacker on the network could intercept your HTTPS traffic and you'd never know.

I'm not sure what you mean "download cert file every time when I change the computer." Change the computer how?

[Liangbin Dai]

“download cert file every time when I change the computer.”what I mean is ,if I want to capture the https traffic from a phone on computer A,I should change the net proxy and download the cert file from 127.0.0.1:8888, and if I want to capture the https from computer B,should I download the cert file againt(from 127.0.0.1

:8888) for computer B(the proxy has already changed for computer B )? The cert file download from computer A or computer B is the same? what is the difference?

[Eric Lawrence]

The certificate file is unique to the Fiddler instance. Each client pointed at Fiddler needs the certificate, and if you ever regenerate the certificate, the client must be updated with the new one.

Importantly, you must ensure that each client only has one copy of the Fiddler root certificate installed. If you have two copies of different Fiddler Root Certificates installed on a single client, it will usually make it so neither one of them is trusted.

[Liangbin Dai]

get it.

Thank you very much.

[Liangbin Dai]

aha ,I find this, http://www.telerik.com/blogs/faq---certificates-in-fiddler,it is just what I need .

it is quite useful

Thank you ,Lawrence

 

[ALIM MUSARAJ]

MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER

Thanks.


NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.

DM ME ON WHATSAPP
+44 7405 896213