fiddler suddenly cannot capture https traffic(http is ok)

667 views
Skip to first unread message

Liangbin Dai

unread,
Sep 29, 2017, 4:20:41 AM9/29/17
to Fiddler
Hi :
   I use fiddler for a long time,but today I just found the fiddler cannot capture https again(which is ok before)
   The system is window7(bit 64) ,and fiddler version is v4.6.20173.38786
    The https request comes from app (android/ios),but both android and ios client are not ok , I cannot find a session which protocol is https,but the app shows the correct data,but the data comes from the https traffic(I promise),I donot know what is the reason.I can provider you some data ...And I did the following
    1. I update the fiddler to the lastest version , but it still doest not work.
    2.I found the lastest fiddler is ok for http connection ,https is not ok. 
    I guess maybe the anti-virus software symantec results this?which I install yesterday?Please help me,thank you
    

The log is 
-= Fiddler Event Log =-

16:03:21:3171 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
16:03:21:6071 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
16:03:22:2702 Fiddler.Network.ProtocolViolation - [#10] The Request's Host header did not match the URL's host component.

URL Host: 61.135.185.33
Header Host: loc.map.baidu.com
16:03:25:6894 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
16:03:26:5134 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
16:04:12:7551 !Cannot decode HTTP response using Content-Encoding: rc4
16:04:13:0531 !Cannot decode HTTP response using Content-Encoding: rc4
16:08:03:8423 Fiddler.Network.ProtocolViolation - [#42] Incorrectly formed Request-Line. abs_path was empty (e.g. missing /). RFC2616 Section 5.1.2
16:08:08:6816 Fiddler.Network.ProtocolViolation - [#47] Incorrectly formed Request-Line. abs_path was empty (e.g. missing /). RFC2616 Section 5.1.2
16:08:10:1896 Fiddler.Network.ProtocolViolation - [#51] Incorrectly formed Request-Line. abs_path was empty (e.g. missing /). RFC2616 Section 5.1.2
16:08:13:2658 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
16:08:18:1621 Fiddler.Network.ProtocolViolation - [#55] Incorrectly formed Request-Line. abs_path was empty (e.g. missing /). RFC2616 Section 5.1.2
16:09:44:7061 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
16:10:07:3874 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

and the request session is in attachment 

and the session properties is 

SESSION STATE: Done.
Request Entity Size: 1225 bytes.
Response Entity Size: 752 bytes.

== FLAGS ==================
BitFlags: [ResponseGeneratedByFiddler, IsBlindTunnel] 0x1100
HTTPS-CLIENT-SESSIONID: empty
HTTPS-CLIENT-SNIHOSTNAME: creditlife.yirendai.com
HTTPS-SERVER-CIPHER: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
HTTPS-SERVER-SESSIONID: empty
UI-BOLD: user-marked
UI-COLOR: Red
UI-OLDCOLOR: Gray
X-CLIENTIP: 192.168.191.4
X-CLIENTPORT: 53510
X-EGRESSPORT: 58728
X-HOSTIP: 101.254.100.60
X-RESPONSEBODYTRANSFERLENGTH: 0

== TIMING INFO ============
ClientConnected: 16:03:16.177
ClientBeginRequest: 16:03:16.179
GotRequestHeaders: 16:03:16.179
ClientDoneRequest: 16:03:16.179
Determine Gateway: 0ms
DNS Lookup: 0ms
TCP/IP Connect: 4ms
HTTPS Handshake: 0ms
ServerConnected: 16:03:16.183
FiddlerBeginRequest: 16:03:16.183
ServerGotRequest: 16:03:16.183
ServerBeginResponse: 00:00:00.000
GotResponseHeaders: 00:00:00.000
ServerDoneResponse: 16:06:23.016
ClientBeginResponse: 16:06:23.016
ClientDoneResponse: 16:06:23.016

Overall Elapsed: 0:03:06.836

The response was buffered before delivery to the client.

== WININET CACHE INFO ============
This URL is not present in the WinINET cache. [Code: 2]
* Note: Data above shows WinINET's current cache state, not the state at the time of the request.
* Note: Data above shows WinINET's Medium Integrity (non-Protected Mode) cache only.

SESSION STATE: Done.
Request Entity Size: 2192 bytes.
Response Entity Size: 695 bytes.

== FLAGS ==================
BitFlags: [ResponseGeneratedByFiddler, IsBlindTunnel] 0x1100
HTTPS-CLIENT-SESSIONID: 22 52 2A 8D 72 8D 55 CE 5F E3 A6 57 C8 34 FE 2D A6 29 A4 E5 E0 33 FB 4C 38 03 D2 AF 20 BE FA CC
HTTPS-CLIENT-SNIHOSTNAME: creditlife.yirendai.com
HTTPS-SERVER-CIPHER: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
HTTPS-SERVER-SESSIONID: 22 52 2A 8D 72 8D 55 CE 5F E3 A6 57 C8 34 FE 2D A6 29 A4 E5 E0 33 FB 4C 38 03 D2 AF 20 BE FA CC
UI-BOLD: user-marked
UI-COLOR: Red
UI-OLDCOLOR: Gray
X-CLIENTIP: 192.168.191.4
X-CLIENTPORT: 53518
X-EGRESSPORT: 58731
X-HOSTIP: 101.254.100.60
X-RESPONSEBODYTRANSFERLENGTH: 0

== TIMING INFO ============
ClientConnected: 16:03:21.100
ClientBeginRequest: 16:03:21.308
GotRequestHeaders: 16:03:21.308
ClientDoneRequest: 16:03:21.308
Determine Gateway: 0ms
DNS Lookup: 0ms
TCP/IP Connect: 4ms
HTTPS Handshake: 0ms
ServerConnected: 16:03:21.313
FiddlerBeginRequest: 16:03:21.313
ServerGotRequest: 16:03:21.313
ServerBeginResponse: 00:00:00.000
GotResponseHeaders: 00:00:00.000
ServerDoneResponse: 16:03:27.134
ClientBeginResponse: 16:03:27.134
ClientDoneResponse: 16:03:27.134

Overall Elapsed: 0:00:05.826

The response was buffered before delivery to the client.

== WININET CACHE INFO ============
This URL is not present in the WinINET cache. [Code: 2]
* Note: Data above shows WinINET's current cache state, not the state at the time of the request.
* Note: Data above shows WinINET's Medium Integrity (non-Protected Mode) cache only.

SESSION STATE: Done.
Request Entity Size: 2193 bytes.
Response Entity Size: 695 bytes.

== FLAGS ==================
BitFlags: [ResponseGeneratedByFiddler, IsBlindTunnel] 0x1100
HTTPS-CLIENT-SESSIONID: 22 52 2A 8D 72 8D 55 CE 5F E3 A6 57 C8 34 FE 2D A6 29 A4 E5 E0 33 FB 4C 38 03 D2 AF 20 BE FA CC
HTTPS-CLIENT-SNIHOSTNAME: creditlife.yirendai.com
HTTPS-SERVER-CIPHER: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
HTTPS-SERVER-SESSIONID: 22 52 2A 8D 72 8D 55 CE 5F E3 A6 57 C8 34 FE 2D A6 29 A4 E5 E0 33 FB 4C 38 03 D2 AF 20 BE FA CC
UI-BOLD: user-marked
UI-COLOR: Red
UI-OLDCOLOR: Gray
X-CLIENTIP: 192.168.191.4
X-CLIENTPORT: 53524
X-EGRESSPORT: 58732
X-HOSTIP: 101.254.100.60
X-RESPONSEBODYTRANSFERLENGTH: 0

== TIMING INFO ============
ClientConnected: 16:03:21.599
ClientBeginRequest: 16:03:21.599
GotRequestHeaders: 16:03:21.599
ClientDoneRequest: 16:03:21.599
Determine Gateway: 16ms
DNS Lookup: 0ms
TCP/IP Connect: 4ms
HTTPS Handshake: 0ms
ServerConnected: 16:03:21.604
FiddlerBeginRequest: 16:03:21.604
ServerGotRequest: 16:03:21.604
ServerBeginResponse: 00:00:00.000
GotResponseHeaders: 00:00:00.000
ServerDoneResponse: 16:06:22.058
ClientBeginResponse: 16:06:22.058
ClientDoneResponse: 16:06:22.058

Overall Elapsed: 0:03:00.459

The response was buffered before delivery to the client.

== WININET CACHE INFO ============
This URL is not present in the WinINET cache. [Code: 2]
* Note: Data above shows WinINET's current cache state, not the state at the time of the request.
* Note: Data above shows WinINET's Medium Integrity (non-Protected Mode) cache only.


The https configigration is 






4_Full.txt

Eric Lawrence

unread,
Sep 29, 2017, 1:16:17 PM9/29/17
to Fiddler
Please untick the "Ignore server certificate errors" checkbox unless you absolutely need it; that's a very unsafe setting.

The text in the 4_Full.txt file is important: "Fiddler's HTTPS Decryption feature is enabled, but this specific tunnel was configured not to be decrypted. Settings can be found inside Tools > Options > HTTPS."

In the screenshot, you have a rule that says "Perform decryption only for the following hosts... *bee*;". This is a problem for two reasons:

1. Fiddler does not accept trailing stars in host matching rules (making *bee* illegal), and
2. The hostname creditlife.yirendai.com would not have matched *bee anyway

If you clear this box, the problem should go away.

Liangbin Dai

unread,
Sep 29, 2017, 11:35:44 PM9/29/17
to Fiddler
yes ,it is ok now. thank you  very much,Lawrence.
And I want to know what the settings for https means , I dont find the detail information ?eg:is it necessary to download cert file every time when I change the computer? and the "Ignore server certificate errors" box means ?

Eric Lawrence

unread,
Oct 2, 2017, 1:01:56 PM10/2/17
to Fiddler
"Ignore server certificate errors" means that Fiddler won't complain if the server sends a certificate not valid for the connection. This is dangerous because it means an attacker on the network could intercept your HTTPS traffic and you'd never know.

I'm not sure what you mean "download cert file every time when I change the computer." Change the computer how?

Liangbin Dai

unread,
Oct 5, 2017, 11:14:26 PM10/5/17
to Fiddler
download cert file every time when I change the computer.”what I mean is ,if I want to capture the https traffic from a phone on computer A,I should change the net proxy and download the cert file from 127.0.0.1:8888, and if I want to capture the https from computer B,should I download the cert file againt(from 127.0.0.1
:8888) for computer B(the proxy has already changed for computer B )? The cert file download from computer A or computer B is the same? what is the difference?

Eric Lawrence

unread,
Oct 6, 2017, 8:24:30 AM10/6/17
to Fiddler
The certificate file is unique to the Fiddler instance. Each client pointed at Fiddler needs the certificate, and if you ever regenerate the certificate, the client must be updated with the new one.

Importantly, you must ensure that each client only has one copy of the Fiddler root certificate installed. If you have two copies of different Fiddler Root Certificates installed on a single client, it will usually make it so neither one of them is trusted.

Liangbin Dai

unread,
Oct 8, 2017, 10:42:22 PM10/8/17
to Fiddler
get it.
Thank you very much.

Liangbin Dai

unread,
Oct 10, 2017, 12:23:48 PM10/10/17
to Fiddler
aha ,I find this, http://www.telerik.com/blogs/faq---certificates-in-fiddler,it is just what I need .
it is quite useful
Thank you ,Lawrence
 

ALIM MUSARAJ

unread,
Dec 19, 2023, 3:34:50 PM12/19/23
to Fiddler

MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER

Thanks.


NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.

DM ME ON WHATSAPP
+44 7405 896213
Reply all
Reply to author
Forward
0 new messages