I tried to redirect all traffic thru Fiddler by using redsocks and iptables. Plaintext HTTP seems to work fine, however HTTPS doesn't seem to work properly.
Initially I didn't want to use redsocks at all - however it seemed that Fiddler cannot work in the way similar to sniproxy: using iptables -j DNAT alone doesn't work at all.
Then, although redsocks supports http CONNECT proxy mode, Fiddler no longer shows domain names in intercepted CONNECT entries - IP addresses are shown instead. Fiddler also throws out certificate errors, even if I check the "ignore certificate errors" checkbox, the intercepted application (which already trusts FiddlerRoot certificate) still refuses to connect. I think this should be related to SNI.
I think if Fiddler could work in the way similar to sniproxy, this problem would no longer exist, probably.
6 Answers, 1 is accepted
Hello Jack,
Based on your description, seems like you are trying to get all the TCP traffic, so you may try a software specifically oriented to such scenario.
Regards,
Rosen Vladimirov
Progress Telerik
Тhe web is about to get a bit better!
The Progress Hack-For-Good Challenge has started. Learn how to enter and make the web a worthier place: https://progress-worthyweb.devpost.com.
Rank 1
Why did Fiddler throw out server certificate errors? To my understanding:
(1) Fiddler did TLS handshake without correct SNI;
(2) Fiddler failed to verify the server certificate, because it assumed the host name to be the given IP address, rather than the domain name.
There's a patched version of redsocks (at the time of posting this thread, I hadn't tried it, but then I tried it & it seemed to work), so that Fiddler can receive the domain name (rather than IP address) in HTTP CONNECT request. With such patched redsocks, Fiddler no longer throws out server certificate errors. (However, some (not all) apps still complain about invalid server certificate, I don't know why yet)
I think Fiddler should be able to accept TLS connection directly, rather than thru a HTTP CONNECT tunnel only.
Also, I think Fiddler should be able to read domain name from TLS SNI on its own, rather than relying on HTTP CONNECT request header.
Rank 1
Rank 1
I have figured out why some apps didn't work.
(1) Some of them refuse to connect non-HTTP/2 server. Wish that Fiddler will support HTTP/2 soon.
(2) Lifetime of Fiddler-generated HTTPS certificates is too long, so that it violates Chromium's certificate lifetime policies. I have installed Fiddler for quite a long time - I don't know whether the situation has changed, but after shrinking lifetime of Fiddler-generated certificates seemed to fix this.
By the way, Burp Suite has an interesting feature called "invisible proxy", which seems to describe the concept better than "similar to sniproxy", after all sniproxy won't decrypt (MitM) TLS data at all.
Rank 1
I love Fiddler because it doesn't block non-HTTP(S) traffic through HTTP CONNECT tunnel.
However lack of HTTP/2 support is somewhat a pity, though.
Rank 2
Hi Jack,
Thank you for the kind words for Fiddler and for your continuous updates on this topic and your investigation. Indeed HTTP/2 is something that's required for some servers. You can track the progress of this feature in the related Feature request in our feedback portal.
Regards,
Rosen Vladimirov
Progress Telerik
Тhe web is about to get a bit better!
The Progress Hack-For-Good Challenge has started. Learn how to enter and make the web a worthier place: https://progress-worthyweb.devpost.com.
We have checked this case furthere and your explanation is correct - currently Fiddler requires CONNECT requests and gets the host from the Host header of those CONNECT requests. In your setup, you are right that the SNI is causing the problem.
However, based on our research it seems you can configure redsocks to set the Host header in CONNECT requests, which should resolve the issue with the IPs. Probably you need to set parse_sni_host = true; to the redsocks, or some other option.
Can you give it a try and inform us if it works?