I am having problems decrypting any SSL traffic (my Windows 10 PC) using (thelatest version of) Fiddler.
I have tried Eric's (created Fiddler) post on resetting certificates to no avail:
http://textslashplain.com/2015/10/30/reset-fiddlers-https-certificates/
I am seeing the following error in the logs on all SSL requests:
09:50:02:3744 fiddler.network.https> HTTPS handshake to www.fiddler2.com (for #1) failed. System.Security.Cryptography.CryptographicException Unspecified error
To try and isolate the issue I installed Charles and it is able to decrpyt SSL requests so I dont believe it is a system-wide / local network issue.
Any help much appreciated as Fiddler is such an excellent tool.
So I have now got Fiddler working again, these steps fixed my problem:
Remove Fiddler certificates (via the GUI, and manually check in Certificates mmc)
Uninstall Fiddler, including all settings data
Use a registry cleaner to clean up orphan / broken entries
Delete any remnant folder related to Fiddler
Download latest version of Fiddler
Install using all defaults (dont install to a custom location)
Set HTTPS Capture and Decrypt in Fiddler
I faced similar issue on mac with Fiddler. This was the first time I was using fiddler with mac.
The problem was the mac was not trusting the Fiddler
certificate.
To solve it I first of all, go to the Fiddler and then choose
Tools>Options>HTTPS
check Decrypt HTTPS Traffic
In the same dialog, then go to actions and click on export root certificate to the Desktop
click ok and close the fiddler.
Now the fiddler certificate has been downloaded on your desktop. In my case its name was FiddlerRoot.cer .
Double click on it and it will open in the keychain.
Select certificate option from left hand under category
You will find there is a certificate with name DO_NOT_TRUST_FiddlerRoot
Right click on the certificate and click on the Trust to make it expand. Here is how my dialog looks now.
In your case instead of Always trust, use system defaults would have been selected by default. Select Always trust.
Clear cookies and cache of your browser and then restart the browser.
Now if I start my fiddler it is able to decrypt the https website.
Related
I have been going around and around with this issue. I can create a dev-cert using dotnet dev-certs https --trust but the certificate only appears in the Personal certificates folder. If I try copying it to the Trusted folder it disappears on refresh. I have watched videos of people doing this on YouTube and it works so I'm not sure what is wrong with my PC/install.
Running my code and hitting the route in Postman returns a 500 error and UntrustedRoot.
I have tried this using a local user account and my admin account. I have also tried creating a certificate and importing it using OpenSSL following guides I have found, but still no luck.
I am running Windows 10 Pro on a new build PC. Windows was a clean install with a new licence.
I really don't want to have to purchase a signed certificate just to do development on localhost as that seems a bit overkill.
Any suggestions?
tl;dr try disabling your anti-virus before creating certificate!
I finally stumbled upon the answer; my anti-virus, WebRoot. I was following a YouTube tutorial on how to add a custom certificate to Kestrel and in doing so I discovered that WebRoot was blocking access to the hosts file. Disabling the av allowed me to update that file but also, it then allowed trusting of the dev-cert generated by dotnet dev-certs https --trust.
Not sure how I can prevent this in future other than temporarily disable the av before creating a certificate. Frustrating that the av doesn't warn me and there doesn't appear to be an obvious setting to allow this to happen.
These days I am researching on capturing and decoding SSL traffic from apk files, I have learned that it is possible to use Fiddler to do that, I have done all the steps in the following link
Cannot configure Fiddler proxy in Android to decrypt HTTPS
But my situation is a little different, I can decode some SSL traffic from apk files, but some SSL traffic seems does not go through WLAN, not like the situation in above links, it does not appear in Fiddler capturing window(maybe the code in apk deliberately set to not go through WLAN to avoid being captured?)
so I tried proxydroid to make all traffic go to my fiddler proxy, It succeeded, now it appears in fiddler capturing window, but it seems not using fiddler root cert like those traffic which goes through WLAN as default, so I can only see "connect to xxx" in Fiddler window, but no decryption
I even tried xpose framework and JustTrustMe, still no use(although I think the problem does not lie there)
So in such a situation, Is there a way to decode? I think the key is to both direct SSL traffic to fiddler proxy and use root cert simultaneously, but How?
UPDATE:
not to mention this specific problem, currently Could someone give me some information about how a SSL cert is used in android system, why those https links which use WLAN as default will use cert automatically, I guess it's because those links which use WLAN as default is just like use https link in browser , while cert is trusted by browser when you installed this root cert, but those links which do not use WLAN as default actually do not trigger https link like in browser, so even using some tool to redirect those links to fiddler proxy can not make it trust the cert, so they just do not use this root cert?? if my guess is right, then maybe there is no easy solution to solve this problem??
UPDATE2:
I have posted another topic, which tries to solve this problem from another perspective, it provided specific apk link, so if someone is interested, you can visit that topic to get more info
So I am trying to setup a test environment for bittorrent file tranfers with SSL protection and I am having some troubles and would need some guidence.
My setup:
PC1: Running opentracker and is acting as the Certificate Authority.
PC2: Running libtorrent example client compiled with support for SLL encryption. Also acts as the publisher of the torrent file.
PC3: Same as PC2 but is not publishing any file.
When I use this setup without SSL torrents everything works as expected. The file gets transferred and if you go into the trackers stats page (trackerip/stats) it shows that 1 torrents is beeing served and there are 2 peers connected.
However, when I use my SSL torrent this is not happening. First of all, no file is being transferred. Second of all the tracker doesn't seem to recognize the torrent file i.e the tracker tells me it is currently not serving any torrents.
What could be wrong with my setup? And how do I start troubleshooting this?
Could it be that the tracker have to support HTTPS? Maybe I can't use open tracker. Do anyone have experience with this?
It is very likely that something is missing in the torrent file, but should I not be getting any errors in that case?
I am using the libtorrent example project "make_torrent" to make my ssl torrent and when I inspect it, it contains my certificate.
EDIT:
So a big part of my problem I assume is that I have zero experience from working with SSL stuff. So this is probably where I fail. I have read through both http://www.libtorrent.org/manual-ref.html#ssl-torrents and http://blog.libtorrent.org/2012/01/bittorrent-over-ssl/
and I am not sure I fully understand it.
I will try to explain how I have interpreted it and you guys can explain why I am wrong :) .
My interpretation:
The publisher of the torrent will include a x509 certificate signed with the publishers private key.
When a peer receives this torrent it will use the publishers public key (installed at an earlier time) to verify it's authenticity.
If everything is OK, the peer will generate a Certificate Signing Request and sign it with the peers private key and then send it to the publisher who signs it and returns a certificate. This is then the certificate that the peer will present to other peers.
Is this correct?
I have an application which is making calls to twitter and I need to inspect the traffic so that I can learn more about oAuth.
When I double click the ssl traffic I get a yellow box which prompts me to go and change the options (by the way I am running my app through a proxy).
After having read about using a certificate on my machine which fiddler creates I have clicked the link to let fiddler install certificates on my machine by following these instructions...
http://docs.telerik.com/fiddler/configure-fiddler/tasks/configurefiddlerforwin8
However instead of this happening...
I get this error message...
"unable to configure windows to trust Fiddler Root certificate" here is a screen shot....
When I checked the logs as suggested (although is confusing as I thought the log was to do with each individual request), anyway I saw this...
I have even tried installing the certificate manually no no avail. Hope someone can help me get fiddler/ssl decryption working with windows 8! :-)
UPDATE : In response to Erics questions he made in the below answer...
Hi Eric thanks for replying.
1) A box popped up saying 'Certificate Trust' this is the box I have taken a screen shot of above. It was the box that told me to check the log.
2) I have an account and when I check my users it says I am an Administrator underneath my username.
3) I have tried to run Fiddler as an Administrator to no avail.
I also tried to drag and drop the certificate manually into the certmgr.msc tool and it comes up with a little round cursor with a line through it. Sounds like permissions but I just cant see why as I have full everything....
I finally found a way to workaround cases where group policy tries to limit who you can trust.
METHOD 1
Go into the fiddler HTTPS options and export the root cert to your
desktop.
Open up mmc.exe and add in the certificate widgets for
Local Computer
Import the fiddler certificate into the Third-Party
Root Certificate Store
Go ahead and use fiddler and see it generate new certs and watch your system trust them.
Method 2
Run afoul and bypass an intentional security control.
reg delete HKLM\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots /f
Go back into fiddler HTTP options, and toggle Decrypt HTTPS traffic off and on again. press okay to install the cert in the usual way
maybe run a gpupdate /force to get your setting back to the way your admins intended.
For insight, the problem group policy settings may look something like this:
If you have any Flags value in your registry under Local_Machine \ Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots, this lock-down is probably in effect.
#EricLaw - Are you up for maybe changing fiddler to try to import into the third-party store by default? It seems like the "third-party store" may be less subject to lockdown.
This is the best write-up of third-party-store i've seen: http://kreelbits.blogspot.com/2014/02/whats-purpose-of-users-third-party-root.html
I managed to solve a similar problem I was having (in windows 7) by following the instructions here: http://casualtechs.blogspot.com.au/2010/06/problem-when-trying-to-import.html (with the only difference being that we want to add the Fiddler certificate to "Trusted Root Certification Authorities -> Local Computer" instead of the "Trusted Publishers" that is mentioned on that site). My modified steps were:
Obtain the Fiddler root certificate from the "fiddler options" -> "Https" -> "Export root certificate to desktop" menu
Open the certificate (double click on it)
Click on the Install certificate button
Click the "Next" button
Select "Place all certificates in the following store"
Click the "Browse" button
Tick the "Show physical stores" checkbox
Expand the "Trusted Root Certification Authorities" folder
Click "Local Computer"
Click the "OK" button.
Click the "Next" button, then click the "Finish" button
Basically the bit I was missing when trying to import the Fiddler Root certificate was to drill down into the "Local Computer" folder underneath the "Trusted Root Certification Authorities" folder. You will have to make sure that the "Show physical stores" checkbox is ticked as shown below:
The error message in question indicates that your Per-User certificate store does not allow you to put certificates into it. Sometimes this happens if your Corporate Group Policy prevents end-users from trusting certificates. Sometimes it happens if your software configuration has been changed by 3rd party software (E.g. VPN or security clients). Sometimes it happens when there's a corrupt ACL somewhere.
Questions
What dialog box immediately preceded the error message on the Log
tab?
Are you an admin on the box?
If so, if you run Fiddler as Admin and try again does it succeed or fail?
Workarounds
If #3 doesn't work, click the Export root certificate to desktop button. Then launch certmgr.msc using Start > Run. Attempt to drag the certificate from your Desktop into the Trusted Root Certification Authorities folder. What, if any, error messages are shown?
When configuring Telerik's Fiddler to handle HTTPS, I could not get root certificate installed. The error was "Failed to find the root certificate in User Root List". I solved the problem by temporarily turning off WebRoot, my antivirus program, then reattempting to enable HTTPS handling which installs Fiddler's root certificate. You may have to click the Action button on the HTTPS tab to remove/reset previous certificates before being able to create a new certificate.
I reset my certificates by Tool > Options > HTTPs > Action > Reset all certificates but it doesn't work.
This is how I fixed my problem
Restart service CryptSvc.
Right click HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
Permission > Current Windows Users > Full Access
Delete Full Key HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
Restart Windows and that's it
Ref: https://www.addictivetips.com/windows-tips/fix-chrome-not-working-windows-10/
I am using a Debian/Apache webserver with up-to-date software and a SSL certificate to encrypt the communication via HTTPS. In February the old certificate expired and I got me a new one (CA Geotrust via CA RapidSSL). Like the one before.
In Firefox (Chrome, ...) everything works fine. But after the old certificate finally expired after 2 weeks, Internet Explorer says the certificate has expired - leave the page? Appearently the old certificate is stuck in the browser cache and has not been updated since.
And the thing ain't done with clearing the browser cache. I actually had to reset the IE settings to make it reload the new certificate. As it works by now, I guess that the server delivers the correct certificate. But there are still other users who report the same problem - so it wasn't my browser alone.
My best guess is that something in the old cert or my cache suggestions told the IE to store the certificate for a long while. But I have no clue how to solve this - or even what to change so I don't have the same problem next year, again.
Thanks for any ideas!
BurninLeo
I had a similar problem. In fact it is IE under XP who don't support several HTTPS subdomaine on a single IP address.
http://nginx.org/en/docs/http/configuring_https_servers.html#sni
So if you have also several domains or subdomains in same IP you can't solve this on XP/IE you can just choose which certificat is used by XP/IE but it will be the same for all subdomaine.
PiR