Fiddler thinks "gateway.icloud.com" certificate is invalid

Fiddler Everywhere Feedback Portal

Create an account Log In

Back to Feed

Request a Feature Report a Bug

Completed

Last Updated: 22 Sep 2021 07:32 by ADMIN

Missing User

Created on: 08 Jun 2020 05:45

Type: Bug Report

Fiddler thinks "gateway.icloud.com" certificate is invalid

I'm unable to connect to "gateway.icloud.com" when Fiddler is open and decrypting HTTPS traffic.

This is Fiddler Everywhere 0.10.0 on macOS 10.15.5.

To reproduce:

Open Fiddler and make sure it's decrypting HTTPS traffic.

Open any browser and go to https://gateway.icloud.com/

Expected result: Page loads (it's blank. This is normal.)

What actually happens: fiddler.network.https> HTTPS handshake to gateway.icloud.com (for #820) failed. System.Security.Authentication.AuthenticationException The remote certificate is invalid according to the validation procedure.

Same thing happens on https://configuration.apple.com/

8 comments

ADMIN

Nick Iliev

Posted on: 05 Nov 2020 15:19

Hello Carsten,

The team is currently implementing an option that will allow ignoring server certificate errors (as a feature parity with the classic Fiddler where this option is available under the HTTPS section as "ignore server certificate errors" tick). This way, Fiddler Everywhere will have the opportunity to ignore failed handshakes due to failed certificate validation and proceed with the request. The feature will be available soon in the upcoming new release of Fiddler Everywhere.

Regards,
Nick Iliev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Missing User

Posted on: 31 Oct 2020 07:43

Then why does Fiddler think the server's real certificate is invalid? See screenshot 1. I would appreciate it if the error message provided more details or had an option to ignore it. (the lack of details or bypass options happens on any server certificate error when Fiddler is running. I know the old Windows version provided details and had a bypass option.)

The issue also happens when the browser I'm using is Firefox, which does not use the system certificate validation library, so the issue is not a browser/pinning issue. See screenshot 2.

As to the Apple Support article you linked to, that is just a help article that warns users not to ignore certificate warnings. The document is talking about www.icloud.com, and that connects just fine with Fiddler running. (although it pulls in resources from domains that are affected.)

Attached Files:

ADMIN

Nick Iliev

Posted on: 20 Oct 2020 11:34

Hi Carsten,

After some additional investigation, it looks like that Apple recently introduced an additional security layers for all servers under the icloud.com domain. The full statement from Apple can be found here.

The crucial part is at the very beginning:

Apple is deeply committed to protecting our customers’ privacy and security. We’re aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously. These attacks don't compromise iCloud servers, and they don't impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser.

The iCloud website is protected with a digital certificate. If users get an invalid certificate warning in their browser while visiting www.icloud.com, they should pay attention to the warning and not proceed. Users should never enter their Apple ID or password into a website that presents a certificate warning. To verify that they are connected to the authentic iCloud website, users can check the contents of the digital certificate as shown below for Safari, Chrome, and Firefox—each of which provides both certificate information and warnings.

So that said, when Fiddler Everywhere is on, the Fiddler root trust certificate is used to establish a secure connection. Apple won't allow this certificate to connect to the server and instead of a blank page or normal content, you are receiving the expected connection refused. Actually, if you make the request through Safari the following descriptive error is logged:

Safari can't open the page "https://gateway.icloud.com" because Safari can't establish a secure connection to the server "gateway.icloud.com".

Regards,
Nick Iliev
Progress Telerik

Missing User

Posted on: 15 Oct 2020 20:09

Is there an update? The issue still happens with Fiddler Everywhere version 1.1.1.

ADMIN

Nick Iliev

Posted on: 16 Jun 2020 10:55

Hi Carsten Jonas,

Thanks for the provided details on this issue. On WIndows the gateway.icloud.com returns 400 (on my side and on several other test Windows PCs) which is expected and happens with or without Fiddler. It seems that the issue appears only on Mac OS. Marked this one as a bug and the team will investigate it further.

Regards,
Nick Iliev
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.

Missing User

Posted on: 13 Jun 2020 16:49

I figured out how to bypass certificate pinning on macOS, but the issue still occurs. This is definitely a Fiddler bug.

As a suggestion, I would recommend that Fiddler give a more detailed error.

The issue is not the browser rejecting Fiddler's certificate - the issue is that Fiddler is rejecting the server's *real* certificate.

Missing User

Posted on: 12 Jun 2020 00:50

Actually, this seems to be a Fiddler issue. The error is occurring in Fiddler itself - not originating from the browser. The error seems to suggest that Fiddler itself isn't able to verify the server's real certificate.

This still happens even if the browser I'm using is Firefox - which does not use the system certificate validation library.

In addition, many other iCloud servers (e.g. https://p35-mailws.icloud.com/) work just fine with Fiddler open. I don't have access to a Windows PC. Could someone with a Windows PC kindly test if https://gateway.icloud.com/ opens with Fiddler (Everywhere, not the old Windows version) decrypting HTTPS traffic?

In the meantime, it would be good if Fiddler had an option to ignore certificate errors on a one-time basis.

ADMIN

Nick Iliev

Posted on: 11 Jun 2020 10:19

Hello Carsten Jonas,

The thing is that most likely, iCloud by Apple is using certificate pinning (a check for a specific hardcoded certificate), and this is causing the issue with validating procedure. See a more detailed explanation about the issue related to Fiddler and certificate pinning here. There is no out-of-the-box solution, apart from having the actual private keys so that said there is currently not an option to support decrypting traffic coming from a certificate pinning.

Regards,
Nick Iliev
Progress Telerik