SSL received a record that exceeded the maximum permissible length when modifying request with fiddler

Asked 5/1, 2013 at 21:38 Answered 3/4, 2014 at 17:50

I'm trying to implement a in-system SSL server using FiddlerCore:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace fiddlerCoreTest
{
    using System.IO;
    using System.Threading;
    using Fiddler;

    class Program
    {
        static Proxy oSecureEndpoint;
        static string sSecureEndpointHostname = "localhost";
        static int iSecureEndpointPort = 7777;

        static void Main(string[] args)
        {
            //var tt = Fiddler.CertMaker.GetRootCertificate().GetRawCertData();
            //File.WriteAllBytes("root.crt",tt);

            Fiddler.FiddlerApplication.BeforeRequest += delegate(Fiddler.Session oS)
            {
                oS.bBufferResponse = false;               

                if ((oS.hostname == sSecureEndpointHostname)&&oS.port==7777)
                {
                    oS.utilCreateResponseAndBypassServer();
                    oS.oResponse.headers.HTTPResponseStatus = "200 Ok";
                    oS.oResponse["Content-Type"] = "text/html; charset=UTF-8";
                    oS.oResponse["Cache-Control"] = "private, max-age=0";
                    oS.utilSetResponseBody("<html><body>Request for httpS://" + sSecureEndpointHostname + ":" + iSecureEndpointPort.ToString() + " received. Your request was:<br /><plaintext>" + oS.oRequest.headers.ToString());
                }
            };

            FiddlerCoreStartupFlags oFCSF = FiddlerCoreStartupFlags.Default;
            oFCSF = (oFCSF & ~FiddlerCoreStartupFlags.RegisterAsSystemProxy);

            Fiddler.FiddlerApplication.Startup(8877, oFCSF);

            oSecureEndpoint = FiddlerApplication.CreateProxyEndpoint(iSecureEndpointPort, true, sSecureEndpointHostname);
            if (null != oSecureEndpoint)
            {
                FiddlerApplication.Log.LogFormat("Created secure end point listening on port {0}, using a HTTPS certificate for '{1}'", iSecureEndpointPort, sSecureEndpointHostname);
            }

            Console.WriteLine("Press any key to exit");

            Console.ReadKey();
        }
    }
}

in firefox, GET http://localhost:7777/ works fine, but when I GET https://localhost:7777/ , firefox reports following error:

SSL received a record that exceeded the maximum permissible length

Why do I get this, and how can I fix it?

UPDATE This happens only when I use fiddler as the proxy with firefox. When I remove fiddler proxy, I can access https://localhost:7777/ . However, I would also like to be able to access https://localhost:7777/ via proxy

Leialeibman answered 5/1, 2013 at 21:38 Comment(2)

Let's back up a little bit. When Fiddler isn't set as the proxy in Firefox, can you visit localhost:7777? Also, what's the exact version of Firefox that you're using? Does a breakpoint on utilCreateResponseAndBypassServer ever get hit? – Peahen 8/1, 2013 at 22:56

I'm using ff17.0.1 . When I visit https://localhost:7777 without proxy, it works. oS.utilCreateResponseAndBypassServer(); gets hit, and the function returns a response to fiddler core. – Leialeibman 10/1, 2013 at 15:54

The problem in this scenario is that you're processing this traffic twice:

First, the browser sends a CONNECT to port 8888 saying: "Please give me a TCP/IP tunnel to port 7777" and then after Fiddler says "Okay, we'll do that" the client sends a HTTPS request through that tunnel to port 7777.

The problem here is that you're mangling that CONNECT response and returning HTML instead of allowing the HTTPS handshake from port 7777 to flow through.

The simplest way to fix this would be to change your BeforeRequest code to the following:

if ( (oS.hostname == sSecureEndpointHostname) && (oS.port==7777)
    && !oS.HTTPMethodIs("CONNECT")) {

After you do this, your CONNECT tunnel will no longer be getting mangled and the HTTPS handshake will succeed.

Peahen answered 3/4, 2014 at 17:50 Comment(0)

HTTPS traffic is encrypted and fiddler as a web debugger proxy cannot decrypt/analyze packet data being sent through fiddler. It uses a MITM attack to decrypt SSL traffic being sent via fiddler, see here: http://www.fiddler2.com/fiddler/help/httpsdecryption.asp

So you have to enable SSL option in fiddler, then re-check it. If it doesn't worked, try to provide a manual MITM certificate to fiddler.

Priscian answered 31/1, 2013 at 1:27 Comment(4)

fiddler decrypts the ssl traffic ok. but when I'm trying to modify it, I'm getting this error – Leialeibman 31/1, 2013 at 20:37

Fiddler should allow you to modify the packet and the inner information; if you wish. It is supposed to have Fiddler Injector property that you can configure. – Cloak 4/2, 2013 at 22:20

well, in my experience it lets me modify http requests just fine, and fails on https requests with this error – Leialeibman 6/2, 2013 at 20:17

could you use same certificate in your fiddler and web server? – Priscian 7/2, 2013 at 7:12

The problem in this scenario is that you're processing this traffic twice:

The problem here is that you're mangling that CONNECT response and returning HTML instead of allowing the HTTPS handshake from port 7777 to flow through.

The simplest way to fix this would be to change your BeforeRequest code to the following:

if ( (oS.hostname == sSecureEndpointHostname) && (oS.port==7777)
    && !oS.HTTPMethodIs("CONNECT")) {

After you do this, your CONNECT tunnel will no longer be getting mangled and the HTTPS handshake will succeed.

Peahen answered 3/4, 2014 at 17:50 Comment(0)

Recommended topics

Hot tags