Non-standart port HTTPS decryption

9 posts, 0 answers
  1. Eugene
    Eugene avatar
    8 posts
    Member since:
    Nov 2015

    Posted 04 Nov 2015 Link to this post

    Hi!

    Exception text is "The handshake failed due to an unexpected packet format".

    Have tried enablintls1.1 and tls1.2, didn't work. Any ideas? (I don't own the server, unfortunately)

    Thanks in advance! 

    Regards, Eugene

  2. Eugene
    Eugene avatar
    8 posts
    Member since:
    Nov 2015

    Posted 04 Nov 2015 in reply to Eugene Link to this post

    Forgot to add that HTTPS on port 443 decrypts without any problems and HTTPS on 8080 also works well in case of direct connection.
  3. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 04 Nov 2015 Link to this post

    Hi, Eugene--

    Fiddler doesn't care about the target port at all; it has no special code related to port 443.

    The screenshot implies that you're trying to make a HTTPS connection to https://ntts.sltvmedia.com:8080; is that correct? Port 8080 on that server is running HTTP, not HTTPS, so any attempt to make a HTTPS connection to that URL will fail.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  4. Eugene
    Eugene avatar
    8 posts
    Member since:
    Nov 2015

    Posted 04 Nov 2015 in reply to Eric Lawrence Link to this post

    This is what I see in Fiddler without HTTPS decryption. Something is happening there :)

    CONNECT ntts.sltvmedia.com:8080 HTTP/1.0

    User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
    Host: ntts.sltvmedia.com:8080
    Content-Length: 0
    DNT: 1
    Proxy-Connection: Keep-Alive
    Pragma: no-cache
    Proxy-Authorization: Basic <redacted>
    Accept-Language: es-ar;q=1

    A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

    Version: 3.1 (TLS/1.0)
    Random: 56 3A 02 C1 46 1F 81 33 53 A9 98 D4 DA E0 FD 58 EB B4 58 64 01 A0 2D BA C8 98 94 25 B4 78 93 82
    "Time": 11.08.2072 16:44:54
    SessionID: 40 30 EA 84 68 97 1B 4B 76 69 C7 59 5D 31 F6 DB 29 0E 68 60 F7 71 5D B2 49 AA C4 B5 60 3A 07 31
    Extensions: 
    renegotiation_info 00
    server_name ntts.sltvmedia.com
    status_request OCSP - Implicit Responder
    elliptic_curves secp256r1 [0x17], secp384r1 [0x18]
    ec_point_formats uncompressed [0x0]
    Ciphers: 
    [002F] TLS_RSA_AES_128_SHA
    [0035] TLS_RSA_AES_256_SHA
    [0005] SSL_RSA_WITH_RC4_128_SHA
    [000A] SSL_RSA_WITH_3DES_EDE_SHA
    [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
    [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
    [C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    [C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    [0032] TLS_DHE_DSS_WITH_AES_128_SHA
    [0038] TLS_DHE_DSS_WITH_AES_256_SHA
    [0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA
    [0004] SSL_RSA_WITH_RC4_128_MD5

    Compression: 
    [00] NO_COMPRESSION

     

    CONNECT ntts.sltvmedia.com:8080 HTTP/1.0
    User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
    Host: ntts.sltvmedia.com:8080
    Content-Length: 0
    DNT: 1
    Proxy-Connection: Keep-Alive
    Pragma: no-cache
    Proxy-Authorization: Basic <redacted>
    Accept-Language: es-ar;q=1

    A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

    Version: 3.0 (SSL/3.0)
    Random: 56 3A 02 C2 21 F2 4D 74 0A 3D 4E E4 7D 40 EA DC 10 33 EF 4A 4C 39 83 8C 35 CC FC 16 19 71 08 49
    "Time": 21.02.2073 20:05:10
    SessionID: empty
    Extensions: 
    none
    Ciphers: 
    [0005] SSL_RSA_WITH_RC4_128_SHA
    [000A] SSL_RSA_WITH_3DES_EDE_SHA
    [0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA
    [0004] SSL_RSA_WITH_RC4_128_MD5
    [00FF] TLS_EMPTY_RENEGOTIATION_INFO_SCSV

    Compression: 
    [00] NO_COMPRESSION

    CONNECT ntts.sltvmedia.com:8080 HTTP/1.0
    User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
    Host: ntts.sltvmedia.com:8080
    Content-Length: 0
    DNT: 1
    Proxy-Connection: Keep-Alive
    Pragma: no-cache
    Proxy-Authorization: Basic <redacted>
    Accept-Language: es-ar;q=1

    After the client received notice of the established CONNECT, it failed to send any data.

  5. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 04 Nov 2015 Link to this post

    Hi, Eugene--

    The target (https://ntts.sltvmedia.com:8080/) is an HTTP-only Cloudflare nginx server.

    If you're seeing a ServerHello/partial HTTPS handshake in your environment, the most likely explanation is that your upstream proxy server is attempting to man-in-the-middle the connection to, for instance, show you an error page complaining that the upstream server cannot be reached.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  6. Eugene
    Eugene avatar
    8 posts
    Member since:
    Nov 2015

    Posted 05 Nov 2015 in reply to Eric Lawrence Link to this post

    I tried without upstream proxy server, same requests were issued. 

    After these requests to ntts.sltvmedia.com:8080 I get redirected to another resource. Is it possible to decrypt requests to see the contents?

  7. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 05 Nov 2015 Link to this post

    Either your traffic is going to a different server (e.g. different DNS results) or you have a network intermediary which is changing the behavior of the Cloudflare server.

    Sending a Wireshark PCAP or Netmon Capture of your traffic might allow us to get a better idea of what's going on.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  8. Eugene
    Eugene avatar
    8 posts
    Member since:
    Nov 2015

    Posted 06 Nov 2015 in reply to Eric Lawrence Link to this post

    I figured out that despite the exception I still can see decrypted content, so the goal is achieved. If you are interested, I can send you Fiddler archives with both SSL decrypted and not.
  9. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 06 Nov 2015 Link to this post

    Sure, I'd love to have a look. Please email them to me by clicking Help > Send Feedback inside Fiddler.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top