HTTPS traffic decryption error: System.Security.Authentication.AuthenticationException

7 posts, 1 answers
  1. Evgeniy
    Evgeniy avatar
    3 posts
    Member since:
    Feb 2015

    Posted 05 Feb 2015 Link to this post

    Hi,

    Fiddler runs on PC whits Windows 7x64:

    Fiddler Web Debugger (v4.4.9.0)
    Built: 8 июля 2014 г.
     
    64-bit AMD64, VM: 43,00mb, WS: 72,00mb
    .NET 4.0.30319.17929 WinNT 6.1.7601 SP1

    I'm trying to capture HTTS traffic from Android. Trusted certificate was installed, and I can see traffic from some sites, such as Google.

    But on few site, such as Twitter, I get error:

    CONNECT twitter.com:443 HTTP/1.1
    Host: twitter.com
    Connection: keep-alive
    User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; Nexus 5 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.99 Mobile Safari/537.36

    A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

    Version: 3.3 (TLS/1.2)
    Random: 54 D3 2B C1 BC 2C 00 09 2A 61 34 84 2A CD 1C CB 14 33 DD 7D 30 44 16 80 E4 94 FA AA CC 76 24 B6
    SessionID: 79 46 00 00 36 D9 BA 70 AA 0E 97 A6 10 8B BA 99 95 BD E7 D2 08 4B 5D 93 80 09 14 55 F2 C2 4A 9F
    Extensions:
        server_name    twitter.com
        ec_point_formats    uncompressed [0x0]
        elliptic_curves    secp521r1 [0x19], secp384r1 [0x18], secp256r1 [0x17]
        SessionTicket    empty
        signature_algorithms    00 20 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 01 01
        NextProtocolNegotiation    empty
        channel_id(GoogleDraft)    empty
    Ciphers:
        [C014]    TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
        [C00A]    TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        [0039]    TLS_DHE_RSA_WITH_AES_256_SHA
        [0038]    TLS_DHE_DSS_WITH_AES_256_SHA
        [0035]    TLS_RSA_AES_256_SHA
        [C012]    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
        [C008]    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
        [0016]    SSL_DHE_RSA_WITH_3DES_EDE_SHA
        [0013]    SSL_DHE_DSS_WITH_3DES_EDE_SHA
        [000A]    SSL_RSA_WITH_3DES_EDE_SHA
        [C02F]    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        [C02B]    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        [C013]    TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
        [C009]    TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        [00A2]    Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
        [009E]    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        [0033]    TLS_DHE_RSA_WITH_AES_128_SHA
        [0032]    TLS_DHE_DSS_WITH_AES_128_SHA
        [009C]    TLS_RSA_WITH_AES_128_GCM_SHA256
        [002F]    TLS_RSA_AES_128_SHA
        [C011]    TLS_ECDHE_RSA_WITH_RC4_128_SHA
        [C007]    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
        [0005]    SSL_RSA_WITH_RC4_128_SHA
        [0004]    SSL_RSA_WITH_RC4_128_MD5
        [00FF]    TLS_EMPTY_RENEGOTIATION_INFO_SCSV

    Compression:
        [00]    NO_COMPRESSION

    HTTP/1.1 200 Connection Established
    FiddlerGateway: Direct
    StartTime: 11:37:22.290
    Connection: close
     
    fiddler.network.https> HTTPS handshake to twitter.com failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted

    On another PC it's OK on the same device. Thanks for any ideas.
  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 05 Feb 2015 Link to this post

    Hello, Evgeniy Kozlov--

    Are you using the Android browser, or an app?

    Can you explain what you mean when you say "On another PC it's OK on the same device."? Is the other PC running the same build of Fiddler? Is there any change if you update to the very latest Fiddler (v4.4.9.0)?

    Is there any chance you could get a WireShark PCAP of the failing scenario? You could send it to me using Help > Send Feedback inside Fiddler.

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  3. Evgeniy
    Evgeniy avatar
    3 posts
    Member since:
    Feb 2015

    Posted 06 Feb 2015 in reply to Eric Lawrence Link to this post

    Hi, Eric.

    It's same on browser (Chrome) and app, I'm currently testing. Another PC and my PC running same and latest version of Fiddler. I sent you WireShark PCAP via email.
  4. Answer
    Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 09 Feb 2015 Link to this post

    In your capture, you've configured Fiddler to send a client certificate. As far as I know, this isn't a feature supported by the Twitter website: 

    X-CLIENT-CERT: C=xx, OU=OWASP ZAP Root CA, O=OWASP Root CA, L=f53bc445cb, CN=OWASP Zed Attack Proxy Root CA Serial#6EC86

    It appears that the server issues a RST immediately after receiving the client certificate.

    If you remove the client certificate from the scenario, does the problem go away?

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  5. Evgeniy
    Evgeniy avatar
    3 posts
    Member since:
    Feb 2015

    Posted 15 Feb 2015 in reply to Eric Lawrence Link to this post

    Eric, thank you very much!

    I have just removed Fiddler2 directory from Documents and all goes without any errors.

    Best regards!
  6. Zy
    Zy avatar
    1 posts
    Member since:
    Dec 2015

    Posted 07 Dec 2015 Link to this post

    Hello All

     

    when i use fiddler laster version view the https data,but we don't see anything

    17:53:50:0792 !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException 调用 SSPI 失败,请参见内部异常。 < 处理证书时,出现了一个未知错误。 for pipe (CN=mgw.pingan.com.cn, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com).
    17:53:56:2720 !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException 调用 SSPI 失败,请参见内部异常。 < 处理证书时,出现了一个未知错误。 for pipe (CN=mgw.pingan.com.cn, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com).
    17:53:56:2725 !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException 调用 SSPI 失败,请参见内部异常。 < 处理证书时,出现了一个未知错误。 for pipe (CN=mgw.pingan.com.cn, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com).
    17:53:56:7440 !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException 调用 SSPI 失败,请参见内部异常。 < 处理证书时,出现了一个未知错误。 for pipe (CN=mgw.pingan.com.cn, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com).
    17:53:57:0616 Fiddler.Network.ProtocolViolation - [#39] The Request's Host header did not match the URL's host component.

     

    pls help me,

     Best regards!

     

    Steven 

     

     

  7. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 07 Dec 2015 Link to this post

    Hello, Zy--

    Please see http://textslashplain.com/2015/10/30/reset-fiddlers-https-certificates/ for instructions on how to reset Fiddler's certificates, which should resolve this problem.

    If it doesn't, please open a NEW issue thread and describe your configuration (e.g. what OS, browser, etc).

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top