Unplanned
Last Updated: 16 Jun 2020 10:55 by ADMIN
Carsten
Created on: 08 Jun 2020 05:45
Type: Bug Report
1
Fiddler thinks "gateway.icloud.com" certificate is invalid

I'm unable to connect to "gateway.icloud.com" when Fiddler is open and decrypting HTTPS traffic.

This is Fiddler Everywhere 0.10.0 on macOS 10.15.5.

To reproduce:

Open Fiddler and make sure it's decrypting HTTPS traffic.

Open any browser and go to https://gateway.icloud.com/

Expected result: Page loads (it's blank. This is normal.)

What actually happens: fiddler.network.https> HTTPS handshake to gateway.icloud.com (for #820) failed. System.Security.Authentication.AuthenticationException The remote certificate is invalid according to the validation procedure.

 

Same thing happens on https://configuration.apple.com/

4 comments
ADMIN
Nick Iliev
Posted on: 16 Jun 2020 10:55

Hi Carsten Jonas,

 

Thanks for the provided details on this issue. On WIndows the gateway.icloud.com returns 400 (on my side and on several other test Windows PCs) which is expected and happens with or without Fiddler. It seems that the issue appears only on Mac OS. Marked this one as a bug and the team will investigate it further.

 

Regards,
Nick Iliev
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
Carsten
Posted on: 13 Jun 2020 16:49

I figured out how to bypass certificate pinning on macOS, but the issue still occurs. This is definitely a Fiddler bug.

As a suggestion, I would recommend that Fiddler give a more detailed error.

The issue is not the browser rejecting Fiddler's certificate - the issue is that Fiddler is rejecting the server's *real* certificate.

Carsten
Posted on: 12 Jun 2020 00:50

Actually, this seems to be a Fiddler issue. The error is occurring in Fiddler itself - not originating from the browser. The error seems to suggest that Fiddler itself isn't able to verify the server's real certificate.

This still happens even if the browser I'm using is Firefox - which does not use the system certificate validation library.

In addition, many other iCloud servers (e.g. https://p35-mailws.icloud.com/) work just fine with Fiddler open. I don't have access to a Windows PC. Could someone with a Windows PC kindly test if https://gateway.icloud.com/ opens with Fiddler (Everywhere, not the old Windows version) decrypting HTTPS traffic?

 

In the meantime, it would be good if Fiddler had an option to ignore certificate errors on a one-time basis.

ADMIN
Nick Iliev
Posted on: 11 Jun 2020 10:19

Hello Carsten Jonas,

 

The thing is that most likely, iCloud by Apple is using certificate pinning (a check for a specific hardcoded certificate), and this is causing the issue with validating procedure. See a more detailed explanation about the issue related to Fiddler and certificate pinning here. There is no out-of-the-box solution, apart from having the actual private keys so that said there is currently not an option to support decrypting traffic coming from a certificate pinning.

 

Regards,
Nick Iliev
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.