This is a migrated thread and some comments may be shown as answers.

Failed attempt to redirect all traffic thru Fiddler (SNI-related, maybe)

6 Answers 730 Views
Windows
This is a migrated thread and some comments may be shown as answers.
Jack
Top achievements
Rank 1
Jack asked on 19 Apr 2021, 11:08 AM

I tried to redirect all traffic thru Fiddler by using redsocks and iptables. Plaintext HTTP seems to work fine, however HTTPS doesn't seem to work properly.

Initially I didn't want to use redsocks at all - however it seemed that Fiddler cannot work in the way similar to sniproxy: using iptables -j DNAT alone doesn't work at all.

Then, although redsocks supports http CONNECT proxy mode, Fiddler no longer shows domain names in intercepted CONNECT entries - IP addresses are shown instead. Fiddler also throws out certificate errors, even if I check the "ignore certificate errors" checkbox, the intercepted application (which already trusts FiddlerRoot certificate) still refuses to connect. I think this should be related to SNI.

I think if Fiddler could work in the way similar to sniproxy, this problem would no longer exist, probably.

Rosen Vladimirov
Telerik team
commented on 21 Apr 2023, 06:45 AM

We have checked this case furthere and your explanation is correct - currently Fiddler requires CONNECT requests and gets the host from the Host header of those CONNECT requests. In your setup, you are right that the SNI is causing the problem.
However, based on our research it seems you can configure redsocks to set the Host header in CONNECT requests, which should resolve the issue with the IPs. Probably you need to set parse_sni_host = true; to the redsocks, or some other option. 

Can you give it a try and inform us if it works?

6 Answers, 1 is accepted

Sort by
0
Accepted
Rosen Vladimirov
Telerik team
answered on 21 Apr 2021, 10:46 AM

Hello Jack,

Fiddler Classic works as a system-wide man-in-the-middle proxy, so in order to get the traffic through it, the application sending requests must respect the proxy configuration. We are not aware of redsocks and we've not tried using it in combination with Fiddler Classic, so unfortunately we are not able to provide help on the simultaneous usage of the two tools.
Based on your description, seems like you are trying to get all the TCP traffic, so you may try a software specifically oriented to such scenario. 

Regards,
Rosen Vladimirov
Progress Telerik

Тhe web is about to get a bit better! 

The Progress Hack-For-Good Challenge has started. Learn how to enter and make the web a worthier place: https://progress-worthyweb.devpost.com.

0
Jack
Top achievements
Rank 1
answered on 22 Apr 2021, 07:48 AM

 

 

Why did Fiddler throw out server certificate errors? To my understanding:

(1) Fiddler did TLS handshake without correct SNI;

(2) Fiddler failed to verify the server certificate, because it assumed the host name to be the given IP address, rather than the domain name.

There's a patched version of redsocks (at the time of posting this thread, I hadn't tried it, but then I tried it & it seemed to work), so that Fiddler can receive the domain name (rather than IP address) in HTTP CONNECT request. With such patched redsocks, Fiddler no longer throws out server certificate errors. (However, some (not all) apps still complain about invalid server certificate, I don't know why yet)

 

I think Fiddler should be able to accept TLS connection directly, rather than thru a HTTP CONNECT tunnel only.

Also, I think Fiddler should be able to read domain name from TLS SNI on its own, rather than relying on HTTP CONNECT request header.

0
Jack
Top achievements
Rank 1
answered on 22 Apr 2021, 07:53 AM
Oh, I see the problem that TLS ClientHello may not contain SNI, so that Fiddler won't be able to know the target server to connect with. However I still wish that Fiddler could handle SNI while connecting thru HTTP CONNECT tunnel.
0
Jack
Top achievements
Rank 1
answered on 25 Apr 2021, 11:52 AM

I have figured out why some apps didn't work.

(1) Some of them refuse to connect non-HTTP/2 server. Wish that Fiddler will support HTTP/2 soon.

(2) Lifetime of Fiddler-generated HTTPS certificates is too long, so that it violates Chromium's certificate lifetime policies. I have installed Fiddler for quite a long time - I don't know whether the situation has changed, but after shrinking lifetime of Fiddler-generated certificates seemed to fix this.

 

By the way, Burp Suite has an interesting feature called "invisible proxy", which seems to describe the concept better than "similar to sniproxy", after all sniproxy won't decrypt (MitM) TLS data at all.

0
Jack
Top achievements
Rank 1
answered on 25 Apr 2021, 11:56 AM

I love Fiddler because it doesn't block non-HTTP(S) traffic through HTTP CONNECT tunnel.

However lack of HTTP/2 support is somewhat a pity, though.

Nick
Top achievements
Rank 2
commented on 19 Apr 2023, 01:59 PM

FYI: The latest version of Fiddler Everywhere supports HTTP/2, TLS 1.3,  and even GRPC
0
Rosen Vladimirov
Telerik team
answered on 26 Apr 2021, 04:08 PM

Hi Jack,

Thank you for the kind words for Fiddler and for your continuous updates on this topic and your investigation. Indeed HTTP/2 is something that's required for some servers. You can track the progress of this feature in the related Feature request in our feedback portal.

Regards,
Rosen Vladimirov
Progress Telerik

Тhe web is about to get a bit better! 

The Progress Hack-For-Good Challenge has started. Learn how to enter and make the web a worthier place: https://progress-worthyweb.devpost.com.

Tags
Windows
Asked by
Jack
Top achievements
Rank 1
Answers by
Rosen Vladimirov
Telerik team
Jack
Top achievements
Rank 1
Share this question
or