我正在使用 Fiddler 代理来解密特定应用程序的 HTTPS 流量,我面临的问题是该应用程序似乎正在使用内部浏览器来呈现部分信息,并且在呈现到浏览器时 Fiddler 似乎无法隧道即使它击中了相同的主机名..我已经捕获了成功和不成功的连接,但我不是这方面的专家,因此希望有人可以伸出援手并告诉我是否可以以某种方式解决这个问题。为了提供完整的信息,我使用带有 SSLKillSwitch 的越狱 iPhone XR 来绕过固定证书错误,它适用于应用程序中的常规选项,但当我到达它使用内部 webkit 浏览器的部分时,隧道会关闭连接。
这是一条成功建立的隧道:
CONNECT api.xxxxxxxxx.com:443 HTTP/1.1
Host: api.xxxxxxxx.com
User-Agent: Driver/1003.95.3.17728954 CFNetwork/1240.0.4 Darwin/20.6.0
Connection: keep-alive
Connection: keep-alive
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
Random: 53 36 A3 4D 40 7F 06 DC 59 EF 0D F2 67 BF 69 13 90 B3 40 A7 30 A1 14 54 E8 D0 ED 0D 99 78 66 05
"Time": 4/11/2011 1:11:47 PM
SessionID: 67 37 00 00 89 55 CA 97 B4 ED 1E 51 D3 52 84 D9 C0 95 92 E8 3E AA 22 59 39 ED EE 34 40 D5 26 96
Extensions:
grease (0xaaaa) empty
server_name api.xxxxxxxx.com
extended_master_secret empty
renegotiation_info 00
supported_groups grease [0xfafa], x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18], secp521r1 [0x19]
ec_point_formats uncompressed [0x0]
ALPN http/1.1
status_request OCSP - Implicit Responder
signature_algs ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, ecdsa_sha1, rsa_pss_rsae_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512, rsa_pkcs1_sha1
SignedCertTimestamp (RFC6962) empty
key_share 00 29 FA FA 00 01 00 00 1D 00 20 63 5F C7 E5 45 CB 0C 1B 17 34 69 DF B4 F5 98 0C 91 23 A5 D8 C0 17 C9 8D CC 70 B8 23 C7 79 67 1A
psk_key_exchange_modes 01 01
supported_versions grease [0x2a2a], Tls1.3, Tls1.2
grease (0xcaca) 00
padding 214 null bytes
Ciphers:
[BABA] Unrecognized cipher - See https://www.iana.org/assignments/tls-parameters/
[1301] TLS_AES_128_GCM_SHA256
[1302] TLS_AES_256_GCM_SHA384
[1303] TLS_CHACHA20_POLY1305_SHA256
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[CCA9] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
[C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[CCA8] TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
[C024] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
[C023] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
[C00A] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[C009] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[C028] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
[C027] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[C014] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[C013] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Compression:
[00] NO_COMPRESSION
HTTP/1.1 200 Connection Established
FiddlerGateway: Direct
StartTime: 08:53:48.980
Connection: close
Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.
Secure Protocol: Tls12
Cipher: Aes128 128bits
Hash Algorithm: Sha256 ?bits
Key Exchange: ECDHE_RSA (0xae06) 255bits
== Server Certificate ==========
[Subject]
CN=*.xxxxxx.com, O="Xxxxxx, Inc.", L=San Francisco, S=California, C=US
[Issuer]
CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US
[Serial Number]
0E5C9FB26125F869BF32DEFE4B26822E
[Not Before]
6/13/2022 8:00:00 PM
[Not After]
7/15/2023 7:59:59 PM
[Thumbprint]
4F91631510EC84B84A195014E335B1C6748318AF
[SubjectAltNames]
*.xxxxxx.com, xxxxx.com, *.xxxxx.net, xxxxx.net, *.xxxxx.me, xxxxx.me, *.xxxxx.ca, xxxxx.ca, *.xxxxxxxxx.com, xxxxxxxx.com
隧道不成功:
CONNECT api.xxxxxx.com:443 HTTP/1.1
Host: api.xxxxxxx.com
User-Agent: com.apple.WebKit.Networking/8611.4.1.0.3 CFNetwork/1240.0.4 Darwin/20.6.0
Connection: keep-alive
Connection: keep-alive
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
Random: E2 EF 8D 53 08 4F D9 3E 23 DB BA 45 40 A6 A2 ED 6E 23 3B 84 C6 00 98 75 9F 03 5C 95 6C 7E 6B 1E
"Time": 6/3/2014 11:55:14 AM
SessionID: CA 79 37 63 83 57 8B E1 86 24 8F F0 18 FA A9 27 83 52 1E 5B BD 39 27 86 94 CB 54 68 7D 7B FD 3E
Extensions:
grease (0x1a1a) empty
server_name api.xxxxxx.com
extended_master_secret empty
renegotiation_info 00
supported_groups grease [0xcaca], x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18], secp521r1 [0x19]
ec_point_formats uncompressed [0x0]
ALPN h2, http/1.1
status_request OCSP - Implicit Responder
signature_algs ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, ecdsa_sha1, rsa_pss_rsae_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512, rsa_pkcs1_sha1
SignedCertTimestamp (RFC6962) empty
key_share 00 29 CA CA 00 01 00 00 1D 00 20 2C 81 5B 83 4E A9 2F E0 17 99 47 E1 51 C3 88 5E 6C 65 3C F6 FF FD DE BD B6 4F 3F 38 73 DB 1F 15
psk_key_exchange_modes 01 01
supported_versions grease [0xdada], Tls1.3, Tls1.2
grease (0x8a8a) 00
padding 211 null bytes
Ciphers:
[EAEA] Unrecognized cipher - See https://www.iana.org/assignments/tls-parameters/
[1301] TLS_AES_128_GCM_SHA256
[1302] TLS_AES_256_GCM_SHA384
[1303] TLS_CHACHA20_POLY1305_SHA256
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[CCA9] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
[C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[CCA8] TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
[C024] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
[C023] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
[C00A] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[C009] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[C028] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
[C027] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[C014] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[C013] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Compression:
[00] NO_COMPRESSION
HTTP/1.1 200 Connection Established
FiddlerGateway: Direct
StartTime: 08:53:46.605
Connection: close
编辑添加我在 Fiddler 日志中遇到的错误:
08:53:46:7774 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.xxxxxxx.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)
注意,出于隐私考虑,我特意编辑了实际的主机名和开发人员信息,但其他所有内容均保持不变。您可以看到不同的用户代理显示何时使用浏览器并失败以及何时不失败。
希望有人能提供一些如何解决的线索。通过使用不同的代理(Mockttp),这可以正常工作,所以我希望 Fiddler 也可以做到这一点,因为它对我的目的来说更加用户友好。
编辑以澄清我正在使用SSL Kill Switch 2(0.14-3+调试)
Edit2:事实证明我的 SSL Kill Switch 2 版本比最新版本更旧,并且现在已经进行了一些修复。我更新了,现在不再有证书错误了,但是,在请求工作了几次之后,我开始收到 403,最初我以为是我的 IP 被拒绝,但后来用 Postman 进行测试,我一直得到 200,我' m 仅在使用 Fiddler 代理时被拒绝,因此仍在尝试找出差异的原因。我确保 Postman 发送的标头和消息与手机中的应用程序完全相同。通过电话比较工作与拒绝似乎也没有显示出任何差异。
谢谢!
@Robert 指出这可能是 SSL Killswitch 的问题,而不是 Fiddler 代理的问题。升级到更新版本后,我不再遇到隧道问题 (尽管现在我遇到了另一个问题,似乎与 TLS 指纹有关,我认为我可以通过使用不同的代理来确认)。