Login to start a new topic
Answered

Problem with capturing tls traffic for some web sites (i assume issue with ciphers - site and fiddler has no overlap)

Hi!

 

Recently I was trying to connect to https://inlat.am/ site with "Decrypt SSL traffic" option set in fiddler to my genuine surprise i couldn't even connect to site.

I am using chrome 87.0.4280.88 64bit  and fiddler Version : 1.3.0


Without  "Decrypt SSL traffic" option set in Fiddler - chrome works fine.

 

 

So i decided to investigate what actually happen.

I run to https://www.ssllabs.com/ site to check supported ciphers - here you can check it https://www.ssllabs.com/ssltest/analyze.html?d=inlat.am&s=18.159.255.107


Cipher Suites

# TLS 1.3 (suites in server-preferred order)

TLS_AES_256_GCM_SHA384 (0x1302)   ECDH x25519 (eq. 3072 bits RSA)   FS256
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   ECDH x25519 (eq. 3072 bits RSA)   FS256
TLS_AES_128_GCM_SHA256 (0x1301)   ECDH x25519 (eq. 3072 bits RSA)   FS128

# TLS 1.2 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072 bits RSA)   FS128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq. 3072 bits RSA)   FS256




and tried to reproduce the issue with wirshark  on.

 


In wire shark i can see that there is no ciphers supported by https://inlat.am/ site 


Cipher Suites (24 suites)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)

 

Now i know what the issue is about.

My question is how to fix the problem with ciphers.

In my opinion you should somehow add it in Fiddler.


Best Answer

Hi there. The ticket can be closed - the problem - windows 7 doesn't supports tsl1.3 and there is no way around it (only installing newer versions like windows 10). So fiddler is ok it not fiddler issue.


Hey there,


For the sake of having more visibility I am posting the solution used by the user that was published in identical thread:


... have an option to bypass the proxy when certificate pinning is being used. That's actually what I ended up doing, putting the telemetry url in the bypass list. Does the trick. I figured that out after I had posted.  

Answer

Hi there. The ticket can be closed - the problem - windows 7 doesn't supports tsl1.3 and there is no way around it (only installing newer versions like windows 10). So fiddler is ok it not fiddler issue.

In chrome there is no certificate pinning  so it is not my case - and I want to see traffic in and out of this site https://inlat.am/