I'm trying to capture HTTP requests from .Net code running within a website on my local IIS. The calls are being made by proxy classes generated from a WSDL via a Connected Services reference. The recipient of the calls is claiming that the requests contain invalid payloads and I want to see the raw outgoing request from my end.
The service my code is calling requires TLS 1.2 and a client certificate. The code runs fine at runtime as long as I don't have Fiddler in the picture (other than the payload supposedly being incorrect).
I have configured the .Net web app to run through Fiddler as follows:
<defaultProxy enabled="true"> <proxy proxyaddress="http://127.0.0.1:8888" bypassonlocal="false" /></defaultProxy>
In Fiddler I can see the CONNECT commands are failing. I have the Fiddler HTTPS Protocols configured as "<client>;ssl3;tls1.0;tls1.1;tls1.2". I have exported the client certificate from the certificate store as a .cer and have added the following code to the end of the OnBeforeRequest() method (hostname and cert name changed for illustrative purposes):
if (oSession.HTTPMethodIs("CONNECT")){ if (oSession.HostnameIs("service.hostname")) { oSession["https-Client-Certificate"] = "C:\\certs\\Fiddler\\serviceClientCert.cer"; } }
The CONNECT request is as follows:
CONNECT service.hostname:443 HTTP/1.1Host: service.hostnameA SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.Version: 3.3 (TLS/1.2)Random: 60 6F C6 38 2E BC 87 BE 57 7C 55 C9 A7 B6 31 42 00 EE 66 35 37 A0 CD 4E 08 42 7D 45 4F 89 A4 CB"Time": 3/8/2000 8:18:56 AMSessionID: emptyExtensions: server_name service.hostname supported_groups x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18] ec_point_formats uncompressed [0x0] signature_algs rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_sha1, dsa_sha1, rsa_pkcs1_sha512, ecdsa_secp521r1_sha512 SessionTicket empty extended_master_secret empty renegotiation_info 00Ciphers: [C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [009F] TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 [009E] TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [C024] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 [C023] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [C028] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [C027] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [C00A] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [C009] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [C014] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [C013] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [009D] TLS_RSA_WITH_AES_256_GCM_SHA384 [009C] TLS_RSA_WITH_AES_128_GCM_SHA256 [003D] TLS_RSA_WITH_AES_256_CBC_SHA256 [003C] TLS_RSA_WITH_AES_128_CBC_SHA256 [0035] TLS_RSA_WITH_AES_256_CBC_SHA [002F] TLS_RSA_WITH_AES_128_CBC_SHA [000A] SSL_RSA_WITH_3DES_EDE_SHACompression: [00] NO_COMPRESSION
The CONNECT response is as follows:
HTTP/1.1 200 Connection EstablishedFiddlerGateway: DirectStartTime: 20:12:56.601Connection: closefiddler.network.https> HTTPS handshake to service.hostname (for #5) failed. System.ComponentModel.Win32Exception The credentials supplied to the package were not recognized
I'm not sure why I'm getting the error or what I can do to rectify the problem.
5 Answers, 1 is accepted
Hello PJ Melies,
You could try the solutions suggested in this forum thread (especially the one for recreating the root trust certificate).
Regards,
Nick Iliev
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.
Rank 1
Thanks for the reply Nick.
When I go into Actions button at Tools -> Options -> HTTPS I see the "Remove Interception Certificates" option but it's disabled. I did click the Trust Root Certificate option but it made no difference.
Hi PJ,
You could try to reset all Fiddler certificates via the Reset All Certificates option in Tools > Options > HTTPS > Actions.
Also, try to modify the machine.config file and the properties suggested in the following blog:
https://www.telerik.com/blogs/capturing-traffic-from-.net-services-with-fiddler
Regards,
Nick Iliev
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.
Rank 1
Hi Nick,
I've Reset All Certificates and updated the machine.config as per the linked the documents but the end results are the same.
Since the service I'm calling requires a client certificate for authentication do I need to setup Fiddler to pass along that client certificate or is it supposed to do that implicitly?
Hello PJ,
The Fiddler certificate can not substitute a specific client certificate. So if your service is using certificate pinning, then you won't be able to capture the secure traffic with Fiddler. Assuming that you are the developer maintaining the service codebase, you could temporarily lower the security requirements (remove the certificate pinning and allow the service to use the Fiddler certificate) so that you could test your case.
Regards,
Nick Iliev
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.