Some HTTPS sites are unaccessible when using Fiddler

19 posts, 0 answers
  1. Kurt
    Kurt avatar
    5 posts
    Member since:
    Jul 2014

    Posted 24 Jul 2014 Link to this post

    Hi,

    I reviewed prior posts and I see that this question has been asked before but either I don't fully understand the solution or my problem is slightly different.  I am attempting to user Fiddler with SSL decryption enabled to visit a site that we use for a vendor product (which is based in Flash).   I am able to access alot of other HTTPs sites (such as Google, Paypal, etc.) and view the resulting traffic, but I cannot access this particular site that I need.

    I installed Fiddler today so I have the newest copy.

    I see the following log entry when I try to access the site:

    16:48:19:9974 fiddler.network.https> HTTPS handshake to <> failed. System.IO.IOException Received an unexpected EOF or 0 bytes from the transport stream.

    The SSL certificate is in the trusted root store.    When I attempt to visit the site, I am prompted to accept the untrusted certificate and then IE attempts to load the page for quite some time and never gets through.   I also tried in Chrome just to make sure this wasn't a browser-specfic problem.

    I think I am very close and just need a little help to get through.   Please let me know any information I can provide to get to the bottom of this.  Thank you in advance. 
  2.
  3. Kurt
    Kurt avatar
    5 posts
    Member since:
    Jul 2014

    Posted 24 Jul 2014 in reply to Kurt Link to this post

    Also, I did some research and tried this solution but I receive the same error even after applying the rules, restarting my browser(s), and restarting Fiddler.

    Thanks again.
  5. Kurt
    Kurt avatar
    5 posts
    Member since:
    Jul 2014

    Posted 24 Jul 2014 in reply to Kurt Link to this post

    Didn't mean to post 3 times... here is the solution I was referencing in the above post:

    http://blogs.msdn.com/b/ieinternals/archive/2009/12/08/aes-is-not-a-valid-cipher-for-sslv3.aspx

    I don't see an edit post option in these forums--my apologies.
  7. Eric Lawrence
    Admin
    Eric Lawrence avatar
    832 posts

    Posted 25 Jul 2014 Link to this post

    Hello, if you see any message about an Untrusted Certificate, the system's configuration is not correct. Try disabling HTTPS decryption in Fiddler Options, and click "Remove Interception Certificate." Then, reenable Decryption and accept all prompts to trust the certificate. Then load a site and see if there are any error messages in the browser.

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  8.
  9. Kurt
    Kurt avatar
    5 posts
    Member since:
    Jul 2014

    Posted 25 Jul 2014 in reply to Eric Lawrence Link to this post

    Hi Eric,

    Thanks for responding so quickly!   I should have been more clear.  If I remove the cert from the Trusted Store (just for testing), I receive the SSL certificate untrusted and have to manually accept the cert.   When the Fiddler cert is in the Trusted Store, I cannot load this particular site.  Paypal/Gmail/etc. still work over HTTPS and if I look at the cert, it says that FIDDLER_DO_NOT_TRUST verified the identify of this site as Paypal (for example).

    I'll try what you suggested, but I did this yesterday after reading some other posts and came to the same result.

    What else might we try?  Thanks so much!
  11. Kurt
    Kurt avatar
    5 posts
    Member since:
    Jul 2014

    Posted 25 Jul 2014 Link to this post

    Got it working!  It only works when running IE as a non-administrator account.  I also can only access this particular tool via IP address as opposed to FQDN.  Thanks so much.  Great product.
  13. Eric Lawrence
    Admin
    Eric Lawrence avatar
    832 posts

    Posted 27 Jul 2014 Link to this post

    Hello, Kurt--

    By default, Fiddler only installs its Trusted Root certificate in the running-user's account; this means that a different user (e.g. an Administrator) will not trust that root certificate. 

    You can configure the root certificate to be trusted Machine wide by running MMC.exe, selecting Certificates, choosing "Local Computer" and choosing to import Fiddler's root .cer (which you can export to your desktop inside Fiddler's Tools > Options > HTTPS) to the machine's Trusted store.

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  14.
  15. Jorge
    Jorge avatar
    2 posts
    Member since:
    Apr 2015

    Posted 06 Apr 2015 Link to this post

    Hi,

    I am getting the same error message when trying to access a website using Fiddler v2.5.0.0 and the latest versions of Chrome and Firefox.

    I tried the solution posted by Kurt and the workaround Eric suggested, but none of these worked. The funny thing is that I was using Fiddler against this very same site until a few days back, and it started failing today.

    Please, check the captured dialog below for details. Thanks!
     

    CONNECT [SERVER NAME]:443 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
    Connection: keep-alive
    Connection: keep-alive
    Host: [SERVER NAME]:443

    A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

    Version: 3.1 (TLS/1.0)
    Random: DD 2F 64 36 55 5B 79 02 5F 5F 0D 9B 90 71 F0 76 0A 3A D0 46 40 72 4F B3 CD 73 49 A1 C2 5C 79 C3
    "Time": 01/12/1998 03:05:17 p.m.
    SessionID: 1E 06 00 00 2A 42 2A C3 66 D9 D3 5E 48 5D DF 7F 39 27 3D 55 A8 7A 3D A6 73 46 45 45 B6 10 30 11
    Extensions: 
    server_name [SERVER NAME]
    renegotiation_info 00
    elliptic_curves secp256r1 [0x17], secp384r1 [0x18], secp521r1 [0x19]
    ec_point_formats uncompressed [0x0]
    SessionTicket empty
    NextProtocolNego empty
    ALPN h2-16, h2-15, h2-14, h2, spdy/3.1, http/1.1
    status_request OCSP - Implicit Responder
    Ciphers: 
    [C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    [C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    [C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    [C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
    [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
    [0033] TLS_DHE_RSA_WITH_AES_128_SHA
    [0039] TLS_DHE_RSA_WITH_AES_256_SHA
    [002F] TLS_RSA_AES_128_SHA
    [0035] TLS_RSA_AES_256_SHA
    [000A] SSL_RSA_WITH_3DES_EDE_SHA

    Compression: 
    [00] NO_COMPRESSION

    HTTP/1.1 200 Connection Established
    FiddlerGateway: Direct
    StartTime: 18:23:49.480
    Connection: close

    fiddler.network.https> HTTPS handshake to [SERVER NAME] failed. System.IO.IOException Received an unexpected EOF or 0 bytes from the transport stream.

  17. Jorge
    Jorge avatar
    2 posts
    Member since:
    Apr 2015

    Posted 06 Apr 2015 Link to this post

    The above request was made in Windows 8.1 using Fiddler2. With Fiddler4, the error message is a bit different:

     

    HTTP/1.1 200 Connection Established
    FiddlerGateway: Direct
    StartTime: 19:03:33.858
    Connection: close

    fiddler.network.https> HTTPS handshake to [SERVER NAME] failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted


  19. Eric Lawrence
    Admin
    Eric Lawrence avatar
    832 posts

    Posted 07 Apr 2015 Link to this post

    Hi, Jorge--

    Unless you can share the actual server name and/or a SAZ or PCAPNG capture, it's unlikely that anyone will be able to help you. The message below suggests that the target is not returning a properly-formed HTTPS response.

    Regards,
    Eric Lawrence
    Telerik
     

    See What's Next in App Development. Register for TelerikNEXT.

     
  20.
  21. Kevin
    Kevin avatar
    1 posts
    Member since:
    May 2015

    Posted 08 May 2015 in reply to Eric Lawrence Link to this post

    I highly suspect that HTTP2 is used here, at least that's the last readable handshake information:

    ALPN h2-16, h2-15, h2-14, h2, spdy/3.1, http/1.1

     

  23. Eric Lawrence
    Admin
    Eric Lawrence avatar
    832 posts

    Posted 08 May 2015 Link to this post

    Hello, Kevin--

    HTTP2 isn't used through Fiddler when HTTPS decryption is on. All clients will fall back to HTTP/1.1 when HTTP2 isn't available.


    Regards,
    Eric Lawrence
    Telerik
     

    See What's Next in App Development. Register for TelerikNEXT.

     
  25. Nisha
    Nisha avatar
    1 posts
    Member since:
    Sep 2016

    Posted 08 Sep 2016 Link to this post

    I still see an error  HTTPS handshake to <> failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted

     

    I tried all the above options but still the same error. Help will be appreciated.

  26.
  27. will
    will avatar
    2 posts
    Member since:
    Sep 2016

    Posted 14 Sep 2016 Link to this post

    I still see an error  HTTPS handshake to <> failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted

    I am seeing the same error.

  29. Fabio
    Fabio avatar
    1 posts
    Member since:
    Nov 2016

    Posted 15 Nov 2016 Link to this post

    I was seeing the following exception:

    System.Security.SecurityException Failed to negotiate HTTPS connection with server.fiddler.network.https. HTTPS handshake to api.etadirect.com (for #9) failed. System.IO.IOException Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. An existing connection was forcibly closed by the remote host

     

    I was able to fix it by enabling the TLS1.2 protocol which is not enabled by default for outgoing connections (Tools / Fiddler Options.. / HTTPS / click on protocols list)

  31. Jason
    Jason avatar
    1 posts
    Member since:
    Dec 2015

    Posted 26 Jan 2017 in reply to Fabio Link to this post

    Thanks Fabio, this fixed the issue for me.
  32.
  33. Reg
    Reg avatar
    2 posts
    Member since:
    Apr 2018

    Posted 14 Apr 2018 Link to this post

    ...adding the protocols fixed it for me as well.  Eric - Fiddler is a superb product and it has saved my sorry backside on countless occasions. Hope it provides you with an excellent pension when you retire, because you deserve it.
  35. Jochen Wezel
    Jochen Wezel avatar
    1 posts
    Member since:
    Jun 2012

    Posted 31 Dec 2018 Link to this post

    Since more and more websites enforce you to use tls 1.2 (and don't support tls 1.0 any more), I suggest that the list of protocols is automatically extended with tls1.2 by a next fiddler update - or at least there should be a single-time question box with Yes-No-Cancel to extend it.
  37. Alexander
    Admin
    Alexander avatar
    383 posts

    Posted 01 Jan Link to this post

    Hello Jochen,

    That's a valid idea. Would you mind adding it to our feedback portal?

    Regards,
    Alexander
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top