Pending Review
Last Updated: 24 Mar 2021 00:33 by MenuMike
Jochen Wezel
Created on: 02 Jan 2019 09:25
Type: Feature Request
7
Enable tls 1.2 by default

Since more and more websites enforce you to use tls 1.2 (and don't support tls 1.0 any more), I suggest that the list of protocols is automatically extended with tls1.2 by a next fiddler update - or at least there should be a single-time question box with Yes-No-Cancel to extend it.

Also see reference at https://www.telerik.com/forums/some-https-sites-are-unaccessible-when-using-fiddler

6 comments
MenuMike
Posted on: 24 Mar 2021 00:33

Dang it.... I SHOULDN'T have to enable "Decrypt HTTPS Traffic" in order for composer to send a request using TLS 1.2.

If you're up for it, an edit comment button on this forum would be nice too.

MenuMike
Posted on: 24 Mar 2021 00:30

I did have <client> in the Protocols box as well... here is the problem:

When I turn on "Decrypt HTTPS traffic" to enable that Protocols settings, I get prompted to install a new trusted root certificate.   Do to security policies, I am unable (and frankly unwilling) to do that.

After I click that box, now I can use the composer to manually create API requests to servers that only support TLS 1.2... BUT, while that setting is on, nothing else on my computer works, as the majority of sites will attempt to use TLS 1.2, but not work because I refused to trust the new root certificate.  So I can't manually create API requests and test them at the same time as I'm actually testing live webservers that implement the API... So I have to go in and turn the "Decrypt HTTPS traffic" setting off in order for the rest of my computer to work, then turn it back on again when I need to test an API directly that only supports TLS 1.2.   I should have to enabled "Decrypt HTTPS traffic" in order to allow composer to use a different protocol that is obviously supported by Fiddler.  Fiddler doesn't need to sniff or decrypt those manually entered composer requests, because it was the process that generated the requests and will receive the responses directly.

Don't make me switch to Postman.

Eric
Posted on: 23 Mar 2021 23:21

@Michael: in the same box where you typed "tls1.2" you can type "<client>" and Fiddler will offer the server the latest TLS version the client offered it.

It's not at all clear what you mean by "install new root certificates" or "every time I open Fiddler"-- the root certificates have nothing to do with the TLS version (you can use any version of TLS with Fiddler's root), and the setting for which TLS version is used is preserved from session to session, so after you add either "tls1.2" or "<client>" once, you should never need to do so again.

MenuMike
Posted on: 23 Mar 2021 21:38

I need this feature.   What do you mean by <client> token?   I can't find any settings for that.   Is that the User-Agent?

I was able to get this to work by going to Tools->Options->HTTPS->Decrypt HTTPS traffic, and then editing the Protocols list to include "tls1.2", but I don't want to install new root certificates, and doing this every time I open Fiddler is very annoying.

Please let me know how to enable this by default because TLS 1.0 and 1.1 were officially deprecated today https://datatracker.ietf.org/doc/rfc8996/  and more and more APIs I deal with only allow connections using TLS 1.2.

Either that or I switch to Postman and hate myself.   Please.

Eric
Posted on: 08 Jan 2019 18:19
(Also worth noting is that Fiddler's Composer feature doesn't use TLS/1.2 when <client> is specified, and only uses whatever other versions are explicitly mentioned.)
EricLaw
Posted on: 02 Jan 2019 13:57

FWIW, by default, Fiddler includes the <client> token, which means that Fiddler will offer TLS/1.2 if the client does.

Having said that, this is probably a good change to make now that the number of sites that require TLS/1.2 probably exceeds the number of sites that break if you offer TLS/1.2.