I couldn't solve this one by myself even after googling and reading dozens of related threads on Fiddler's forum, feedback, google group, etc.
Problem: About 5% of the sites i visit doesn't work while Fiddler is active with Decrypt HTTP Traffic on.
For example, these 2 sites doesn't work for me.
https://blueproject.ro/systracer
https://learn.microsoft.com/
My OS: Windows 7 x64 SP1
Here's what I've tried so far
- Tried Firefox, Chrome, Opera (All latest)
- Tried uninstalling & reinstalling Fiddler
- Tried "Reset All Certificates" and trusting again multiple times.
- Also tried manually removing all DO_NOT_Trust certificates by using mmc.exe. I've realized that Fiddler's "Reset All Certificates" doesn't remove all Fiddler certificates in "Intermediate Certification Authorities". But it didn't fix the problem.
- Tried all possible combination of <client>;ssl3;tls1.0;tls1.1;tls1.2
Here's the fiddler log when i open exactly this https://blueproject.ro/systracer URL in Firefox
-= Progress Telerik Fiddler Classic Event Log =-
See http://fiddler2.com/r/?FiddlerLog for details. 23:21:05:8975 Progress Telerik Fiddler Classic Running... 23:21:11:7744 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance 23:21:11:7744 Assembly 'C:\Users\User\AppData\Local\Programs\Fiddler\CertMaker.dll' was not found. Using default Certificate Generator. 23:21:11:7783 /Fiddler.CertMaker> Using .+ for certificate generation; UseWildcards=True. 23:21:12:0537 fiddler.network.https> HTTPS handshake to blueproject.ro (for #1) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted Win32 (SChannel) Native Error Code: 0x80090326 23:21:12:3154 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance 23:21:12:5791 fiddler.network.https> HTTPS handshake to blueproject.ro (for #2) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted Win32 (SChannel) Native Error Code: 0x80090326 23:21:12:8467 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance 23:21:13:1162 fiddler.network.https> HTTPS handshake to blueproject.ro (for #3) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted Win32 (SChannel) Native Error Code: 0x80090326 23:21:13:3994 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance 23:21:13:6807 fiddler.network.https> HTTPS handshake to blueproject.ro (for #4) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted Win32 (SChannel) Native Error Code: 0x80090326 23:21:13:9541 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance 23:21:14:2256 fiddler.network.https> HTTPS handshake to blueproject.ro (for #5) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted Win32 (SChannel) Native Error Code: 0x80090326 23:21:14:4912 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance 23:21:14:7568 fiddler.network.https> HTTPS handshake to blueproject.ro (for #6) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted Win32 (SChannel) Native Error Code: 0x80090326 23:21:15:0225 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance 23:21:15:2861 fiddler.network.https> HTTPS handshake to blueproject.ro (for #7) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted Win32 (SChannel) Native Error Code: 0x80090326 23:21:15:5576 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance 23:21:15:8271 fiddler.network.https> HTTPS handshake to blueproject.ro (for #8) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted Win32 (SChannel) Native Error Code: 0x80090326 23:21:16:0947 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance 23:21:16:3584 fiddler.network.https> HTTPS handshake to blueproject.ro (for #9) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted Win32 (SChannel) Native Error Code: 0x80090326 23:21:16:6240 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance 23:21:16:8896 fiddler.network.https> HTTPS handshake to blueproject.ro (for #10) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted Win32 (SChannel) Native Error Code: 0x80090326
First tunnel copied from TextView
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below. Version: 3.3 (TLS/1.2) Random: F5 E2 DA F9 57 52 AE 1C 7B C8 D7 1E 76 A1 22 ED 18 60 8C CB 8A 0F 4F 22 CA D2 7F D0 A1 BF 0C C2 "Time": 11/2/2102 8:48:53 AM SessionID: 4F 31 0B 04 5B AD 5B 77 F2 BA 91 AF 25 C6 E8 D5 ED 4D D9 A4 2E 3D 8C AE 78 4A C9 99 3A F9 05 C7 Extensions: server_name blueproject.ro extended_master_secret empty renegotiation_info 00 supported_groups x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18], secp521r1 [0x19], ffdhe2048 [0x0100], ffdhe3072 [0x0101] ec_point_formats uncompressed [0x0] SessionTicket empty ALPN h2, http/1.1 status_request OCSP - Implicit Responder 0x0022 00 08 04 03 05 03 06 03 02 03 key_share 00 69 00 1D 00 20 7B 47 E1 A6 18 97 36 A3 6C 5C EB 5F 37 66 21 17 E3 FA CB 50 5C C1 11 A7 07 54 69 91 27 E6 83 5F 00 17 00 41 04 59 C3 79 25 5C 1C 95 23 31 0D 1F 97 8B C8 5B AB 0F 3C 0D 41 15 0B 6F 1A 7C E2 91 4F 2E 28 51 A3 D4 02 DA 8B 8E D0 58 18 AE CF 14 02 AE E2 F4 C0 5C 43 55 34 11 8A F6 7B 97 F5 B3 F8 78 B0 18 09 supported_versions Tls1.3, Tls1.2 signature_algs ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1 psk_key_exchange_modes 01 01 0x001c 40 01 padding 136 null bytes Ciphers: [1301] TLS_AES_128_GCM_SHA256 [1303] TLS_CHACHA20_POLY1305_SHA256 [1302] TLS_AES_256_GCM_SHA384 [C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [CCA9] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 [CCA8] TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 [C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [C00A] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [C009] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [C013] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [C014] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [009C] TLS_RSA_WITH_AES_128_GCM_SHA256 [009D] TLS_RSA_WITH_AES_256_GCM_SHA384 [002F] TLS_RSA_WITH_AES_128_CBC_SHA [0035] TLS_RSA_WITH_AES_256_CBC_SHA Compression: [00] NO_COMPRESSION
If i press "Follow TCP stream" on Client Hello in Wireshark. Are these sites thinking i entered HTTP link or something?
...........cg....Tc....~.......o....@h....3..4.(.'.........9.3.....=.<.5./.,.+.$.#.
. .j.@.8.2.
.....H.........blueproject.ro.
...............
.....................................(<html><head><title>400 Bad Request</title></head><body>
<h2>HTTPS is required</h2>
<p>This is an SSL protected page, please use the HTTPS scheme instead of the plain HTTP scheme to access this URL.<br />
<blockquote>Hint: The URL should starts with <b>https</b>://</blockquote> </p>
<hr />
Powered By LiteSpeed Web Server<br />
<a href='http://www.litespeedtech.com'><i>http://www.litespeedtech.com</i></a>
</body></html>
Handshake Faliure from WiresharkTransport Layer Security TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure) Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 2 Alert Message Level: Fatal (2) Description: Handshake Failure (40)
Tried alternative HTTPS decrypters and they worked fine on the 2 examples above.
I wonder what's going on?
Thank you