Can not beat HTTPS with Java client

3 posts, 0 answers
  1. Pavel
    Pavel avatar
    1 posts
    Member since:
    May 2011

    Posted 28 Feb 2017 Link to this post

    I'm trying to use Fiddler v4.6.20171.7553 with Java app bundled with its own jvm/jre 1.7.0_80

    I've exported certificate of Fiddler to desktop and using keytool added certificate to its keystore:

    keytool -import -keystore cacerts -file FiddlerRoot.cer -alias fiddler

    keytool reported that certificate successfully imported, what I've checked with command:

    keytool -list -v -keystore cacerts -alias fiddler

    I've also installed certificates to Windows both to local and user space for sure.

    Server I'm trying to connect is configured to use TLS1.0;TLS1.1;TLS1.2 protocols, so that what I set in Fiddler options for HTTPS protocols. I've also tried to add <client> and using different combinations of different protocols, but it didn't help.

    Resetting of certificates, or deleting Interception certificates and adding again doesn't help.

    I always get error:

    !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < An unknown error occurred while processing the certificate on pipe (CN=target.website, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com).

    On the app side I have error:

    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    OS details: 64-bit AMD64, VM: 56,0mb, WS: 94,0mb .NET 4.6.2 WinNT 10.0.10240.0

    Request headers:

    CONNECT target.website:443 HTTP/1.1
    User-Agent: Java/1.7.0_80
    Host: target.website
    Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

    A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

    Version: 3.1 (TLS/1.0)
    Random: some random
    "Time": 07.06.2015 3:37:44
    SessionID: empty
    Extensions:
        elliptic_curves    secp256r1 [0x17], sect163k1 [0x1], sect163r2 [0x3], secp192r1 [0x13], secp224r1 [0x15], sect233k1 [0x6], sect233r1 [0x7], sect283k1 [0x9], sect283r1 [0xA], secp384r1 [0x18], sect409k1 [0xB], sect409r1 [0xC], secp521r1 [0x19], sect571k1 [0xD], sect571r1 [0xE], secp160k1 [0xF], secp160r1 [0x10], secp160r2 [0x11], sect163r1 [0x2], secp192k1 [0x12], sect193r1 [0x4], sect193r2 [0x5], secp224k1 [0x14], sect239k1 [0x8], secp256k1 [0x16]
        ec_point_formats    uncompressed [0x0]
        server_name    target.website
    Ciphers:
        [C00A]    TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        [C014]    TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
        [0035]    TLS_RSA_AES_256_SHA
        [C005]    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
        [C00F]    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
        [0039]    TLS_DHE_RSA_WITH_AES_256_SHA
        [0038]    TLS_DHE_DSS_WITH_AES_256_SHA
        [C009]    TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        [C013]    TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
        [002F]    TLS_RSA_AES_128_SHA
        [C004]    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
        [C00E]    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
        [0033]    TLS_DHE_RSA_WITH_AES_128_SHA
        [0032]    TLS_DHE_DSS_WITH_AES_128_SHA
        [C008]    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
        [C012]    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
        [000A]    SSL_RSA_WITH_3DES_EDE_SHA
        [C003]    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
        [C00D]    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
        [0016]    SSL_DHE_RSA_WITH_3DES_EDE_SHA
        [0013]    SSL_DHE_DSS_WITH_3DES_EDE_SHA
        [C007]    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
        [C011]    TLS_ECDHE_RSA_WITH_RC4_128_SHA
        [0005]    SSL_RSA_WITH_RC4_128_SHA
        [C002]    TLS_ECDH_ECDSA_WITH_RC4_128_SHA
        [C00C]    TLS_ECDH_RSA_WITH_RC4_128_SHA
        [0004]    SSL_RSA_WITH_RC4_128_MD5
        [00FF]    TLS_EMPTY_RENEGOTIATION_INFO_SCSV

    Compression:
        [00]    NO_COMPRESSION


  2. Filip
    Filip avatar
    1 posts
    Member since:
    Apr 2019

    Posted 05 Apr Link to this post

    Finally I found someone with the same error as me, unfortunately without solution...
  3. Simeon
    Admin
    Simeon avatar
    216 posts

    Posted 09 Apr Link to this post

    Hello Filip and Pavel,

    Could you, please, update to the latest version of Fiddler and reset your Fiddler root CA certificate. Try again and if this does not help, you could try using the Fiddler's CertMaker add-on

    Regards,
    Simeon
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top