Fiddler Trace Connect Tunnels

Fiddler Trace Connect Tunnels

Fiddler decrypt or not to decrypt

You have collected a Fiddler trace as part of troubleshooting an issue. You find that a lot or all of the sessions are highlighted as connect tunnels.

Unfortunately this means you have very little data which is usable for troubleshooting the issue you were looking at.

The only information you will have is what response codes devices and servers sent back to the requesting application.

What you will be missing are the headers and body for each request/response pair in the sessions.

You will not know if a HTTP 200 response was truly ‘everything is functioning correctly‘; or whether an error was returned within the body of the HTTP 200 OK response. This happens more often than many people think.

Office 365 Fiddler Extension

Of you are using the Office 365 Fiddler Extension in this scenario you will likely find the message in the Session Analysis section as the below:

Session Analysis
----------------
Session Alert: Connect Tunnel
Session Comment: This is an encrypted tunnel. If all or most of the sessions are connect tunnels the sessions collected did not have decryption enabled.
If in any doubt see instructions at https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/DecryptHTTPS

What is the fix?

Decrypt HTTPS Traffic

The simpliest answer here is when the traffic was captured the option ‘Decrypt HTTPS traffic’ was not checked. This means when the trace was collected, Fiddler was not able to inspect anything inside the SSL tunnel. There is no reactive fix for this, you will need to capture the traffic again with this option enabled.

The certificate Fiddler creates when you enable the ‘Decrypt HTTPS traffic’ is a self generated certificate.

Reference: https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/DecryptHTTPSM

Traffic captured from mobile devices?

If the traffic was captured with Fiddler from a mobile device. Ensure the certificate from Fiddler was installed and trusted on the mobile device. Note: From iOS 10.3 certificates need to be trusted in addition to installed.

For further information see the guide on collecting traffic from mobile devices here.

Enterprise Security Appliances

If the Decrypt HTTPS Traffic option was checked, or you capture the traffic again with the same result, then perhaps an Enterprise security device is preventing injection of an unknown SSL certificate.

Raise this as a discussion point with your security team and see if they are able to allow Fiddler on a temporary or limited basis. It may even be necessary to use Fiddler with a certificate (with private key) from a load balancer or other network security device.