问题
I am debugging network calls of one of the client's application whom code I am not having. The steps I have gone thorough is as below.
1) Install fiddler in a windows system.
2) unable HTTPS decryption.
3) set the system proxy to match the client's country. (USA)
4) install the app on iOS to which is on same network.
5) Installed the Fiddler certificate in phone, added to trusted certificate
6) Applied the manual proxy matching the same internal IP of the windows system. (not the system proxy of USA)
Now when I open the app, I am able to trace the network calls till login page. Also able to detect network call which send the credentials. But after loading for 5-8 seconds, the app shows "something went wrong, we are unable to serve you"
I am not able to see any trace of my machine IP (internal IP), in network calls being sent. I changed my phones Timezone in case that is the triggering point for stop serving.
Also randomly after 2-3 attempts the following popup comes. I have set the Client Certificate as asked, which was downloaded from http://ipv4.fiddler:8888 .
There are many other apps for which I am able to see the entire network calls but not for this specific one.
Is there any issue in my system settings or the app provider have mechanism to identify man in the middle proxies. Or certificate issues?
Update 1 : I checked the fiddler log and found the below error
HTTPS hand shake to TargetURL failed The exact error was "a call to SSPI failed, see inner Exception, the certificate chain was issued by an authority that is not trusted. is this case if SSL Pinning?
回答1:
You are mixing up the certificates. Usually the problem is the server certificate, however in your case the problem arises from a client certificate. A SSL client certificate is a optional feature that allows to identify a user based on a certificate + private key instead of username+password. It is often used in companies where each user has a certificate+private key on a smart card.
There are now two possibilities:
The iOS app includes a client certificate+private key and the app developers use this to protect the communication API (a bit similar like an API key). In this case you have to extract the certificate and the private key and provide it to Fiddler. Most likely certificate and private key are the same for every device world-wide and can be found as static resource in the iOS app (potentially obfuscated or somehow protected).
The server asks for a client certificate but providing a certificate is optional. I don't know if Fiddler can handle this situation.
来源:https://stackoverflow.com/questions/56697981/network-sniffing-ssl-pinning-not-able-to-get-post-through-the-login-page-in-a