Hey all
I am new to Fiddler, but we are in a position where our current ERP (Dynamics AX 2009) is too old and does not support TLS1.2 (its built on .Net 3.5), therefore pretty much all REST calls do not function. Fiddler came up as an option to be able to override SSL protocols to TLS1.2--which in my proof of concept (installed locally to dev box) is working fine.
However I am a bit confused on how I can actually implement this in a "production-ready" manner as all the calls will come from individual client machines on our network running the AX thick-client (its a standard client/server architecture), so I would need to put this in place somehow to target/override/log only REST calls from this application to specifics hosts (I have this working via FiddlerScript) for any calls coming from our internal network. We would need all other traffic to not be impacted.
I'd prefer not to install Fiddler on every client machine, so does it make sense to stand it up as a proxy server between clients and firewall? Is there a better way?
Thanks
4 Answers, 1 is accepted
Hi David,
I believe this is referring to the Fiddler Modern TLS workaround where Fiddler works because by default it only uses TLS 1.0 and SSL 3.0 to talk to servers.
If that is the case then it may be possible to use use Fiddler on the Web Server and in the OnBeforeRequest event upgrade to TLS1.1+. For examples, see the Old Software that requires TLS 1.0 and the IIS SEO Toolkit Not Crawling Sites w/TLS1.0 threads.
The code in the OnBeforeRequest would look like the following.
if (oSession.HTTPMethodIs("CONNECT") && oSession.HostnameIs("www.yourdomain.com")) {
oSession["x-OverrideSslProtocols"] = " ssl3;tls1.0;tls1.1;tls1.2";
}It may require configuring Fiddler as the Reverse Proxy as well.
Additionally, I recommend trying this on a development machine before moving it in production as it may require changing the port configuration.
Please give this a try and let me know the results. Thank you and I look forward to your reply.
Regards,
Eric R | Senior Technical Support Engineer
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Rank 1
Hey Eric- appreciate the reply!
Currently I have the actual proof of concept working on my devbox with the following script:
if (oSession.HostnameIs("mydomain.com") && oSession.LocalProcess.Contains("ax32")){ oSession["x-OverrideSslProtocols"] = "tls1.2"; }This way it only works with calls from the application.
However the rest of your reply is either over my head or maybe I miscommunicated. Dynamics AX runs as a on-prem server application instance (not a website) that has thick-client software installed on all user machines to access the system. All REST calls from this application would come from the individual clients (not server-side code) that are kicking off those operations.
Specifically in this case, we have a small ecomm site (LEMP-based) that I want to write back shipping and fulfillment data. So I am sending a POST from my client to the site, which does not work unless I have Fiddler running (with the script above) on the same machine I make the request on to override the old SSL protocol.
From this proof, I am trying to extrapolate how this would be implemented in a production scenario. For example, I don't want to have to install Fiddler on each client as that would be a mgmt nightmare. Does this help?
Thanks
Hi David,
Thank you for providing the additional information. Although, I am still not sure I understand completely.
Let me try and rephrase it from my understanding. Dynamix runs on a server and each thick-client is installed on client machines. The goal is to allow the Dynamix thick-client make a POST request to the LEMP-based server through the Dynamix server?
If this is the case and if all requests go from the client application to Dynamix to the LEMP server then it might work by installing Fiddler on the Dynamix server and using the same FiddlerScript implementation.
Unfortunately, if Dynamix is installed on a Windows Server version prior to 2008 R2 this would not work as it does not support the modern protocols.
Please let me know if that helps clarify or if I am missing something. Thank you and I look forward to your reply.
Regards,
Eric R | Senior Technical Support Engineer
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Rank 1
Sorry I think I may have distracted you by mentioning the Dynamics server, purely for base architecture understanding, but all the REST calls actually run on the client-side so the calls themselves will come from individual PCs-- this is the challenge as its more distributed than all calls originating from a single server.
Thanks again