Recently, a Fiddler user contacted me to note that they discovered a client/server application which failed when the TLS version 1.1 option is enabled in Internet Explorer’s Advanced settings. They were surprised to find that when they attempted to use Fiddler to debug the communication, the connection was instead successful.
Back in my old job, I’d encountered many such servers and services, and even wrote a post noting that many servers have compatibility problems with TLS 1.1 and TLS 1.2. Fiddler seems to magically “fix” such problems because, by default, it uses only SSL 3.0 and TLS 1.0 when talking to servers, even if the client browser or application attempts connections using the later protocol versions. Fiddler’s behavior derives from the fact that, until version 4.5, the .NET Framework itself was unable to use the TLS1.1/1.2 support introduced in Windows 7.
Now that the latest .NET Framework supports the new TLS protocol versions, Fiddler 4 can be configured to use them. Fiddler 4 must be running on Windows 7+ and the .NET Framework 4.5 must be installed. Note: Fiddler version 2 cannot use these protocols as the older .NET Framework does not support them, and Fiddler 4 cannot use TLS1.1+ on pre-Win7 versions of Windows that only offer TLS 1.0.
By default, Fiddler 4 will accept inbound connections using any protocol version (SSL2, SSL3, TLS1.0, TLS1.1, or TLS1.2). However, by default, it will not attempt to use TLS1.1 or TLS1.2 when connecting to remote servers, due to the aforementioned compatibility problems.
Within Fiddler, enabled HTTPS protocol versions can be controlled either globally, or on a per-CONNECT tunnel basis. To enable Fiddler to connect to servers using SSL 3 and every version of TLS, type the following command in the QuickExec box below Fiddler’s Web Sessions list:
prefs set fiddler.network.https.SupportedServerProtocolVersions ssl3;tls1.0;tls1.1;tls1.2
You must restart Fiddler for this change to take effect.
Alternatively, you may control the offered protocol versions on a per-Connection basis by setting a Session flag on the CONNECT tunnel through which the secure traffic flows. This flag must be set on the tunnel using the OnBeforeRequest function in FiddlerScript. You can use code like the following:
// Enable TLS1.1/1.2 when talking to Paypal if (oSession.HTTPMethodIs("CONNECT") &&
oSession["x-OverrideSslProtocols"] = " ssl3;tls1.0;tls1.1;tls1.2";
In most cases, upgrading to a later version of TLS doesn’t result in a meaningful difference in the traffic. For instance, the TextView response inspector on the left shows a TLS1.0 connection, while that on the right shows the results after TLS1.2 is enabled:
In other cases, you may see that the client and server use different Cipher, Hash, and Key Exchange algorithms when changing to a later TLS version, but the traffic should otherwise not differ.
The exception is that if the server is incompatible with TLS 1.1 or TLS 1.2 and does not properly fall back to an older version. In that case you will probably see a HTTP/502 error in Fiddler complaining that the upstream server aborted the connection attempt. You should consider contacting the server operator and requesting that they upgrade their HTTPS support to support the latest protocols.