Fiddler: Decrypting HTTPS with Elliptic Curves & Client Certificates

TL;DR

Yes, Fiddler can decrypt HTTPS traffic even when using elliptic curves and client certificate authentication. However, it requires specific configuration steps to import the root CA certificate used by your server and configure Fiddler to act as a trusted intermediary for both server and client certificates.

Steps

1. Understand the Setup
• Your server uses HTTPS with an elliptic curve cipher suite (e.g., ECDHE).
• Client certificate authentication is enabled, meaning clients must present a valid certificate to connect.
• Fiddler needs to intercept and decrypt this traffic. This requires Fiddler’s root CA certificate to be trusted by both the client and server.
2. Export Fiddler’s Root Certificate
• Open Fiddler Classic.
• Go to Tools > Options > HTTPS.
• Click on Actions… under the ‘Certificate Authorities’ section.
• Select your FiddlerRoot certificate and click Export Certificate…. Save it as a .cer file (e.g., FiddlerRoot.cer).
3. Install Fiddler’s Root Certificate on the Server
• The method varies depending on your server software (Apache, Nginx, IIS, etc.). You need to add FiddlerRoot.cer to the server’s trusted CA store.
• Example for Apache: Edit your SSL configuration file (usually in /etc/apache2/mods-enabled/ssl.conf or similar). Add a line like this, pointing to the certificate path:

  SSLCARevocationFile /path/to/FiddlerRoot.cer

• Important: Restart your web server after installing the certificate for changes to take effect.
4. Install Fiddler’s Root Certificate on the Client Machine(s)
• Double-click FiddlerRoot.cer and follow the wizard to install it in your operating system’s trusted root certificate store. This is usually under ‘Trusted Root Certification Authorities’.
• You may need to restart your browser or application for the changes to take effect.
5. Configure Fiddler to Decrypt Client Certificates
• In Fiddler, go to Tools > Options > HTTPS.
• Ensure that ‘Decrypt HTTPS traffic’ is checked.
• Check the box ‘Ignore server certificate errors’. This is useful for testing but should be disabled in production environments.
• Under ‘Certificate Authorities’, ensure your FiddlerRoot certificate is present and enabled.
6. Configure Fiddler to Handle Client Certificate Authentication
• If the client certificate is required, you may need to manually import it into Fiddler’s certificate store if it’s not automatically detected. This can be done through Tools > Options > HTTPS > Certificate Authorities > Add…
7. Verify Decryption
• Start capturing traffic in Fiddler.
• Access the HTTPS website that uses elliptic curves and client certificate authentication.
• Check if the traffic is decrypted in Fiddler’s Inspectors (e.g., Session > Inspectors). You should be able to see the request headers, body, and response details.

Troubleshooting

• Certificate Errors: If you still see certificate errors, double-check that FiddlerRoot.cer is correctly installed on both the server and client machines. Also, ensure your browser trusts Fiddler’s root CA.
• No Decryption: Verify that ‘Decrypt HTTPS traffic’ is enabled in Fiddler’s options.
• Cipher Suite Issues: Ensure Fiddler supports the elliptic curve cipher suite used by your server.