Cant connect to site https://inlat.am/ with "Decrypt SSL traffic" option set

Progress® Telerik® Fiddler™ Classic Feedback Portal

Create an account Log In

Back to Feed

Request a Feature Report a Bug

Need More Info

Last Updated: 06 Dec 2020 06:31 by Eric

VLADIMIR

Created on: 04 Dec 2020 14:03

Type: Bug Report

Cant connect to site https://inlat.am/ with "Decrypt SSL traffic" option set

Hello dear fiddler support.

The bug i've found is: Fiddler doesn't support some encryption ciphers.

Recently I was trying to connect to https://inlat.am/ site with "Decrypt SSL traffic" option set in fiddler to my genuine surprise i couldn't even connect to site.

I am using chrome 87.0.4280.88 64bit and fiddler v5.0.20204.45441 for .NET 4.6.1

Without "Decrypt SSL traffic" option set in Fiddler - chrome works fine.

So i decided to investigate what actually happen.

I run to https://www.ssllabs.com/ site to check supported ciphers - here you can check it https://www.ssllabs.com/ssltest/analyze.html?d=inlat.am&s=18.159.255.107

and tried to reproduce the issue with wirshark on.

In wire shark i can see that there is no ciphers supported by https://inlat.am/ site

Cipher Suites (24 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)

Now i now what the issue is about.

My question is how to fix the problem with ciphers.

In my opinion you should somehow add it in Fiddler.

2 comments

Eric

Posted on: 06 Dec 2020 06:31

On Windows 10 with TLS/1.2 enabled in Fiddler, there are two ciphers that the server and client have in common:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (`0xc030`) Forward Secrecy	256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (`0xc02f`)Forward Secrecy

if you're running Fiddler on an earlier version of Windows, it's possible that these ciphers aren't available even when TLS/1.3 is enabled.

(FWIW, "ssl3.0" should not be enabled in Fiddler except in very rare cases where the user knows that it's needed; if that's still enabled by default, it should probably be taken out.)

ADMIN

Nick Iliev

Posted on: 04 Dec 2020 14:32

Hello Vladimir,

With Google Chrome browser

version 86.0.4240.198 (Official Build) (64-bit) and

Fiddler

v5.0.20204.45441 for .NET 4.6.1
Built: Tuesday, November 3, 2020

I am able to successfully load and capture traffic from https://inlat.am/

HTTP/1.1 200 OK
Server: nginx/1.19.1
Date: Fri, 04 Dec 2020 14:28:19 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 44335
Connection: keep-alive
X-Powered-By: PHP/7.4.13
Link: <https://inlat.am/index.php?rest_route=/>; rel="https://api.w.org/"
Vary: Accept-Encoding
Strict-Transport-Security: max-age=15724800; includeSubDomains

As noted here, Fiddler could not change the ciphers' availability, so you are probably facing a different issue. Check if you have enabled Fiddler to provide support for different protocol versions under Tools > Options > HTTPS > Protocols. Mine looks like this

<client>;ssl3;tls1.0;tls1.1;tls1.2

Regards,
Nick Iliev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.