hi

It seems that Fiddler generates on-the-fly certificates (when intercepting HTTPS traffic) but only sets the 'serverAuth' value for the ExtendedKeyUse attribute.

I am having some troubles getting the cert to be accepted by a Java App that is connecting to a backend system and I am using Fiddler to debug the HTPPS traffic.  My java app complains :

2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###http-bio-8083-exec-5, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication |

If I look at SSL debug generated in my app I see this:

2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###*** Certificate chain |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###chain [0] = [ |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###[ |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  Version: V3 |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  Subject: CN=<target server>, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  Key:  Sun RSA public key, 1024 bits |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  modulus: ...
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  public exponent: 65537 |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  Validity: [From: Wed Feb 26 00:00:00 UTC 2014, |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###               To: Tue Feb 25 23:59:59 UTC 2025] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  Issuer: CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  SerialNumber: [   -6c9fcd89 21ec5b61 b6673282 907882a4] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###Certificate Extensions: 3 |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###[1]: ObjectId: 2.5.29.1 Criticality=false |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###Extension unknown: DER encoded OCTET string = |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###0000: 04 81 B8 30 81 B5 80 10   39 6D 9F 06 75 DA BB F7  ...0....9m..u... |
...
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###[2]: ObjectId: 2.5.29.19 Criticality=true |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###BasicConstraints:[ |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  CA:false |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  PathLen: undefined |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###[3]: ObjectId: 2.5.29.37 Criticality=false |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###ExtendedKeyUsages [ |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  serverAuth |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  Algorithm: [SHA256withRSA] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###  Signature: |
...
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###*** |

Then the app complains:

2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###http-bio-8083-exec-5, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication |


Is it possible to get the ClientAuth extended use attribute set also?

-chris

(posted in the wrong sub folder.)


Hi all,

With fiddlercore app installed on the IIS server, I would like to capture both incoming https request as well as outgoing https requests.
Is this possible?

will this require 2 separate fiddlercore apps to be running? The main fiddler client application seems to only allow one or the other.

I am a Performance Engineer using Visual Studio Web Performance Tests to analyze performance on an ASP.net w. MVC app.

I've noticed that there are differences in the recordings from Fiddler vs. the visual studio recorder.

Is there a list somewhere that will show me what these differences are?

It is mostly that fiddler is leaving out certain requests... Some of the dependent requests are left out.

And also, I am having an issue right now where the visual studio recorder is picking up the same request 5 times.
Fiddler only records it once.
The developer put a breakpoint on the particular view (which is loading some css through a javascript function), and this breakpoint only gets hit once.

I would like to understand this difference, and what is going on under the hood.  Is this a performance issue, or is it a visual studio issue?

When my wireless  router is down, Fiddler displays this:

[Fiddler] DNS Lookup for "www.google.com" failed. The system reports that no network connection is available. System.Net.Sockets.SocketException No such host is known

I do NOT want that message to be displayed. I want browser's default message" connection failed " . Any ideas?

Thank you

Is there some sort of way we can package a Fiddler replacement rule into a standalone .dll and place it in the program's folder to have the same effect as Fiddler changing it without having Fiddler installed on a computer?

Is there an automatic tool for removing the Fiddler certs when I'm done working with them? That would save me from having to go into settings and going over the different tabs to remove all of them.

Thanks,
Ram.

Eric - I have used Fiddler as an everyday part of my job for about 5 years now. I am proficient with it. Rarely need to use rule editor - but have done some. 

Ok, so I have to capture many different websites with Fiddler. Many of them are SSL sites. And I don't think I have ever had this issue.
When I go to the site https://www.ote.gr/web/guest (its in Greece) it's not very fast and takes a while to load, but with fiddler it is taking longer and I wonder if it is somehow creating the 502's I am seeing. If you go to the site and see how it loads, then use the latest Fiddler (as of today Feb 11 2014 ver v4.4.9.9) you should see the same thing. I tried an old 2.4 fiddler on a different network and different machine too just to see.. no difference. Many of the connections will be ok.. but then you get a bunch of 502s on http to ssl tunnels... then... you'll see that the page doesn't render properly.

But.. if you were to go to say capture https://www.bankofamerica.com no problem.

I tried the:
 static function OnBeforeRequest(oSession: Session) {
if (oSession.HTTPMethodIs("CONNECT") && oSession.HostnameIs("www.ote.com")) 
{ 
  oSession["x-OverrideSslProtocols"] = "ssl3"; 
  FiddlerApplication.Log.LogString("Legacy compat applied for inbound request to BuggySite.com"); 
}

As you can guess, it didn't help. So I am here looking for a hand. Let me know if you need anything else to help me with this.

I tried attaching a saz with the 502s for your review but the forum tool wouldn't let me. Maybe too large. I did give you a snap shot of the page render with and without fiddler runnning.

My hope is you can tell me some timeout parameter to change so that it won't time out or a way to speed up the tunnel connections in case their server infrastructure is what is deciding it's taking too long and drops the connection. Let me know and thanks.

Hi Eric,

      BeforeRequest event not raised when fiddler using with selenium(chrome webdriver).

     Coded as follows


               CONFIG.bCaptureCONNECT = true;
            CONFIG.IgnoreServerCertErrors = true;
            CONFIG.bMITM_HTTPS = true;
           
            FiddlerApplication.BeforeRequest += delegate(Session oSession)
            {
                Console.WriteLine("Request URL {0}", oSession.fullUrl);            
            };
            var cert = InstallCertificate();
            int proxyPort = StartProxy(0);
            OpenQA.Selenium.Proxy proxy = new OpenQA.Selenium.Proxy();
            proxy.HttpProxy = string.Format("127.0.0.1:{0}", proxyPort);
            ChromeOptions options = new ChromeOptions();
            options.Proxy = proxy;

IWebDriver Driver = new ChromeDriver(@"C:\chromedriver_win32", options);
          
            Console.WriteLine("Certificate {0}", cert);
            Driver.Navigate().GoToUrl(<url>);
         
 public static bool InstallCertificate()
        {

            if (!Fiddler.CertMaker.rootCertExists())
            {
                if (!Fiddler.CertMaker.createRootCert())
                    return false;

                if (!Fiddler.CertMaker.trustRootCert())
                    return false;
                X509Store certStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
                certStore.Open(OpenFlags.ReadWrite);
                try
                {
                    certStore.Add(Fiddler.CertMaker.GetRootCertificate());
                }
                finally
                {
                    certStore.Close();
                }
            }

            return true;
        }

private static int StartProxy(int desiredPort)
        {   
           FiddlerCoreStartupFlags flags = FiddlerCoreStartupFlags.DecryptSSL & FiddlerCoreStartupFlags.AllowRemoteClients & FiddlerCoreStartupFlags.CaptureFTP & FiddlerCoreStartupFlags.ChainToUpstreamGateway & FiddlerCoreStartupFlags.MonitorAllConnections & FiddlerCoreStartupFlags.CaptureLocalhostTraffic;
           FiddlerApplication.Startup(desiredPort, flags);       
           return FiddlerApplication.oProxy.ListenPort;
        }

Thank you,

Regards,
Avinash.

Hi,

I was wondering if documentation exists for Fiddler's installation exit codes. I am running silent installs on Windows 7-based VDI machines via PowerShell and I'm getting an exit code of 15 intermittently.

If anyone can pass this documentation along, or tell me what exit code 15 signifies, that would be great.
 
Thanks!
Jerry

Hi - I believe I understand how sequential replay works in Fiddler, but what I'm looking for is serial replay.  The case is that I have a single-url API request I'd like to repeat 100 (or 500, etc.) times but not start each request before the previous one's response is complete.  I've found that bulk replay (SHIFT) tends to skew the numbers if I'm testing against a specific server, as it gets busy and slows down requests in later part of bulk load...so initially requests take 100ms, say, but near end of group take many times that number.  This is good to know, but not useful for my purpose in this case.  If there is not a way to do this currently, please make it a feature request.  Thanks!