FW: [Fiddler] - 3603 Re: Capturing SSL traffic from iPhone from peter williams on 2011-05-03 (public-xg-webid@w3.org from May 2011)

From: peter williams <home_pw@msn.com>
Date: Mon, 2 May 2011 22:55:14 -0700
To: "'WebID Incubator Group WG'" <public-xg-webid@w3.org>
Message-ID: <SNT143-ds211D67917F1F48887A5F20929E0@phx.gbl>
May be... an example of what to do (and not to do, in the IOS case).

Apply to apache and use "correct" CERT extensions (apple variant of
correctness, that is).

You can compare with an apple cert that works to determine are the "correct"
OIDs that chain links in a manner that THEY deem valid.

Nothing like breaking everyone else standard to establish the brand. Oh
well. Its apple. Its consistent, if nothing else.


-----Original Message-----
From: httpfiddler@googlegroups.com [mailto:httpfiddler@googlegroups.com] On
Behalf Of EricLaw
Sent: Monday, May 02, 2011 8:57 PM
To: Fiddler
Subject: [Fiddler] - 3603 Re: Capturing SSL traffic from iPhone

Alright, I got this figured out, I think.

iOS requires that the root certificate bear a Subject Key Identifier, and
that the end-entity certificate bears an Authority Key Identifier matching
the root SKI.

MakeCert.exe doesn't put a SKI in the root certificate, and it uses an older
OID for the AKI.

Try the following:


... 'msft specific stuff'


ou shouldn't see any certificate errors at this point for that site.
Please let me know if this worked, and I'll figure out where we go from
here.

-Eric

On May 2, 3:54 pm, EricLaw <bay...@gmail.com> wrote:
> I suspect that day will be quite a while in the future.
>
> But yes, I think HTTPS support is pretty important. It's interesting 
> (and surprising) that iOS doesn't seem to work well with certificate 
> chains that are trusted by all other known platforms.
>
> On May 2, 3:46 pm, Eric Vermeire <er...@allrecipes.com> wrote:
>
>
>
> > Ok, thanks for looking into this.  It would be a big win for Fiddler 
> > to support a cert. that can be can trusted on an iOS device.  As SSL 
> > becomes more of a requirement for mobile API requests because of 
> > session hijacking concerns.  Some day we will never see a non-SSL 
> > request from a mobile device.
>
> > Eric
>
> > On May 2, 1:25 pm, EricLaw <bay...@gmail.com> wrote:
>
> > > Yeah, I took it down after buying an IPOD Touch yesterday and 
> > > confirming that while the certificate is marked as "Trusted" in 
> > > the device's store, the cert chain still reports errors. 
> > > Investigation continues...
>
> > > On May 2, 1:18 pm, Eric Vermeire <er...@allrecipes.com> wrote:
>
> > > > The link tohttps://www.fiddler2.com/dl/MakeFiddlerRoot.zipis
> > > > returning HTTP 404 (Not found)
>
> > > > Eric
>
> > > > On Apr 29, 8:44 am, EricLaw <bay...@gmail.com> wrote:
>
> > > > > Okay, so I may have a workaround for this, based on generating 
> > > > > a new root certificate with AKI and SKI extensions.
>
> > > > > Can you please try the following:
>
> > > > > 1> In Fiddler, click Tools > Fiddler Options > HTTPS.
> > > > > 2> Untick Decrypt HTTPS Traffic.
> > > > > 3> Click the "Remove decryption certificates" button and 
> > > > > 3> accept the
> > > > > prompt to delete all certificates.
> > > > > 4> Downloadhttps://www.fiddler2.com/dl/MakeFiddlerRoot.zipandr
> > > > > 4> un
> > > > > the MakeFiddlerRoot.exe
> > > > > 5> Click through the import dialogs to import the new root.
> > > > > 6> Retick the Decrypt HTTPS Traffic checkbox
>
> > > > > Try the scenario again.
>
> > > > > thanks,
> > > > > -Eric
>
> > > > > On Apr 28, 9:49 am, Eric Vermeire <er...@allrecipes.com> wrote:
>
> > > > > > Glad to see others are discussing this topic, but I feel 
> > > > > > that there is still work to be done for get a working 
> > > > > > solution.  Currently, I have to use the Charles HTTP proxy 
> > > > > > in order to view SSL traffic from native apps on my iOS 
> > > > > > devices.  The keyword is "native" apps.  This is possible on 
> > > > > > Charles, because the certificate it generates is marked as 
> > > > > > "Trusted" (green colored text) on my iOS devices.  The 
> > > > > > Fiddler generated cert. is marked as "Untrusted" (red 
> > > > > > colored text) and therefore is not automatically used by native
apps when making SSL requests.
>
> > > > > > So, what exactly is the difference between the Charles cert. 
> > > > > > and the Fiddler cert.?  If we could get Fiddler to generate 
> > > > > > a SSL cert. with the same settings so that iOS devices 
> > > > > > consider the cert. to be "Trusted", then I can switch back to
Fiddler.
>
> > > > > > Eric
>
> > > > > > On Mar 31, 12:04 pm, Max Vaysburd 
> > > > > > <max.vaysb...@angrykitten.com>
> > > > > > wrote:
>
> > > > > > > Hello.
>
> > > > > > > Has anyone successfully used Fiddler to capture SSL 
> > > > > > > traffic from iPhone apps other than Safari?  I am running 
> > > > > > > into issues, likely due to self-signed nature of the 
> > > > > > > Fiddler Root cert, in trying to get an iPhone application 
> > > > > > > with embedded UIWebView control to reveal it's SSL 
> > > > > > > traffic.  Here's what I've done
>
> > > > > > > 1. Set up Fiddler to decrypt SSL traffic and exported the root
cert.
> > > > > > > 2. Renamed FiddlerRoot.cer to FiddlerRoot.crt, loaded it 
> > > > > > > to the phone via Safari and marked it as trusted.
> > > > > > > 3. Connected iPhone to WiFi and set proxy to Fiddler's IP 
> > > > > > > address and port 8888
>
> > > > > > > When I point Safari at a site using SSL, I am first shown 
> > > > > > > a dialog warning about untrusted SSL cert (fiddler 
> > > > > > > injecting itself) and once I accept then I can see the traffic
in fiddler.
> > > > > > > When I point an app hosting UIWebView to the same URL, 
> > > > > > > there is no prompt (expected behavior) and all I see are a 
> > > > > > > bunch of CONNECT requests in Fiddler and the app doesn't work
correctly.
>
> > > > > > > In contrast, using Charles proxy and following the same 
> > > > > > > steps as above I see two significant differences.  First 
> > > > > > > of all Safari doesn't prompt about untrusted certificate.  
> > > > > > > Presumably because Charles cert was imported and trusted.  
> > > > > > > Secondly, the app using UIWebView functions normally and SSL
traffic is automatically decrypted by Charles.
>
> > > > > > > Perhaps the difference in behavior is that Fiddler 
> > > > > > > dynamically generates a cert rooted to untrusted root, 
> > > > > > > where as Charles just uses the same certificate?  Can 
> > > > > > > anyone offer suggestions on how to make iPhone trust Fiddler's
certs?
>
> > > > > > > Thanks,
> > > > > > > Max.- Hide quoted text -
>
> > > > > > - Show quoted text -- Hide quoted text -
>
> > > > - Show quoted text -- Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

--
You received this message because you are subscribed to the Google Groups
"Fiddler" group.
To post to this group, send email to httpfiddler@googlegroups.com.
To unsubscribe from this group, send email to
httpfiddler+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/httpfiddler?hl=en.
Received on Tuesday, 3 May 2011 05:55:43 UTC