8 Answers, 1 is accepted
Rank 1
Fiddler doesn't care about the target port at all; it has no special code related to port 443.
The screenshot implies that you're trying to make a HTTPS connection to https://ntts.sltvmedia.com:8080; is that correct? Port 8080 on that server is running HTTP, not HTTPS, so any attempt to make a HTTPS connection to that URL will fail.
Regards,
Eric Lawrence
Telerik
Rank 1
This is what I see in Fiddler without HTTPS decryption. Something is happening there :)
CONNECT ntts.sltvmedia.com:8080 HTTP/1.0
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: ntts.sltvmedia.com:8080
Content-Length: 0
DNT: 1
Proxy-Connection: Keep-Alive
Pragma: no-cache
Proxy-Authorization: Basic <redacted>
Accept-Language: es-ar;q=1
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Version: 3.1 (TLS/1.0)
Random: 56 3A 02 C1 46 1F 81 33 53 A9 98 D4 DA E0 FD 58 EB B4 58 64 01 A0 2D BA C8 98 94 25 B4 78 93 82
"Time": 11.08.2072 16:44:54
SessionID: 40 30 EA 84 68 97 1B 4B 76 69 C7 59 5D 31 F6 DB 29 0E 68 60 F7 71 5D B2 49 AA C4 B5 60 3A 07 31
Extensions:
renegotiation_info 00
server_name ntts.sltvmedia.com
status_request OCSP - Implicit Responder
elliptic_curves secp256r1 [0x17], secp384r1 [0x18]
ec_point_formats uncompressed [0x0]
Ciphers:
[002F] TLS_RSA_AES_128_SHA
[0035] TLS_RSA_AES_256_SHA
[0005] SSL_RSA_WITH_RC4_128_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
[C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[0032] TLS_DHE_DSS_WITH_AES_128_SHA
[0038] TLS_DHE_DSS_WITH_AES_256_SHA
[0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA
[0004] SSL_RSA_WITH_RC4_128_MD5
Compression:
[00] NO_COMPRESSION
CONNECT ntts.sltvmedia.com:8080 HTTP/1.0
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: ntts.sltvmedia.com:8080
Content-Length: 0
DNT: 1
Proxy-Connection: Keep-Alive
Pragma: no-cache
Proxy-Authorization: Basic <redacted>
Accept-Language: es-ar;q=1
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Version: 3.0 (SSL/3.0)
Random: 56 3A 02 C2 21 F2 4D 74 0A 3D 4E E4 7D 40 EA DC 10 33 EF 4A 4C 39 83 8C 35 CC FC 16 19 71 08 49
"Time": 21.02.2073 20:05:10
SessionID: empty
Extensions:
none
Ciphers:
[0005] SSL_RSA_WITH_RC4_128_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
[0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA
[0004] SSL_RSA_WITH_RC4_128_MD5
[00FF] TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Compression:
[00] NO_COMPRESSION
CONNECT ntts.sltvmedia.com:8080 HTTP/1.0
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: ntts.sltvmedia.com:8080
Content-Length: 0
DNT: 1
Proxy-Connection: Keep-Alive
Pragma: no-cache
Proxy-Authorization: Basic <redacted>
Accept-Language: es-ar;q=1
After the client received notice of the established CONNECT, it failed to send any data.
The target (https://ntts.sltvmedia.com:8080/) is an HTTP-only Cloudflare nginx server.
If you're seeing a ServerHello/partial HTTPS handshake in your environment, the most likely explanation is that your upstream proxy server is attempting to man-in-the-middle the connection to, for instance, show you an error page complaining that the upstream server cannot be reached.
Regards,
Eric Lawrence
Telerik
Rank 1
I tried without upstream proxy server, same requests were issued.
After these requests to ntts.sltvmedia.com:8080 I get redirected to another resource. Is it possible to decrypt requests to see the contents?
Sending a Wireshark PCAP or Netmon Capture of your traffic might allow us to get a better idea of what's going on.
Regards,
Eric Lawrence
Telerik
Rank 1
Regards,
Eric Lawrence
Telerik