问题描述

我正在调试我没有代码的客户端应用程序之一的网络调用.我已完成的步骤如下.

I am debugging network calls of one of the client's application whom code I am not having. The steps I have gone thorough is as below.

1)在Windows系统中安装提琴手.

1) Install fiddler in a windows system.

2)无法进行HTTPS解密.

2) unable HTTPS decryption.

3)设置系统代理以匹配客户所在的国家/地区. (美国)

3) set the system proxy to match the client's country. (USA)

4)在同一网络上的iOS上安装该应用.

4) install the app on iOS to which is on same network.

5)在电话中安装了Fiddler证书，并添加到了受信任的证书中

5) Installed the Fiddler certificate in phone, added to trusted certificate

6)应用了与Windows系统的相同内部IP匹配的手动代理. (不是美国的系统代理)

6) Applied the manual proxy matching the same internal IP of the windows system. (not the system proxy of USA)

现在，当我打开应用程序时，我可以跟踪网络呼叫，直到登录页面.还能够检测发送证书的网络呼叫.但是加载5到8秒后，应用程序显示出了点问题，我们无法为您提供服务"

Now when I open the app, I am able to trace the network calls till login page. Also able to detect network call which send the credentials.But after loading for 5-8 seconds, the app shows "something went wrong, we are unable to serve you"

在发送的网络呼叫中，我看不到我的机器IP(内部IP)的任何痕迹.我更改了手机的时区，以防这是停止投放的触发点.

I am not able to see any trace of my machine IP (internal IP), in network calls being sent. I changed my phones Timezone in case that is the triggering point for stop serving.

在尝试2-3次之后，还会随机出现以下弹出窗口.我已按照要求设置了客户端证书，该证书是从 http://ipv4.fiddler:8888 下载的.

Also randomly after 2-3 attempts the following popup comes. I have set the Client Certificate as asked, which was downloaded from http://ipv4.fiddler:8888 .

我还能看到许多其他应用程序的整个网络呼叫，但不能查看此特定的网络呼叫.

There are many other apps for which I am able to see the entire network calls but not for this specific one.

我的系统设置是否存在任何问题，或者应用程序提供商是否具有识别中间代理人的机制.还是证书问题?

Is there any issue in my system settings or the app provider have mechanism to identify man in the middle proxies. Or certificate issues?

更新1:我检查了提琴手日志，发现以下错误

Update 1 : I checked the fiddler log and found the below error

与TargetURL的HTTPS握手失败确切的错误是对SSPI的调用失败，请参阅内部异常，证书链是由不受信任的颁发机构颁发的.如果是SSL固定，是否是这种情况?

HTTPS hand shake to TargetURL failed The exact error was "a call to SSPI failed, see inner Exception, the certificate chain was issued by an authority that is not trusted. is this case if SSL Pinning?

推荐答案

您正在混淆证书.通常问题出在服务器证书上，但是在您的情况下，问题出在客户端证书上. SSL客户端证书是一项可选功能，它允许基于证书+私钥而不是用户名+密码来识别用户.它通常用于每个用户在智能卡上都有证书+私钥的公司.

You are mixing up the certificates. Usually the problem is the server certificate, however in your case the problem arises from a client certificate. A SSL client certificate is a optional feature that allows to identify a user based on a certificate + private key instead of username+password. It is often used in companies where each user has a certificate+private key on a smart card.

现在有两种可能性:

1. iOS应用程序包括一个客户端证书+私钥，应用程序开发人员使用它来保护通信API(有点类似于API密钥).在这种情况下，您必须提取证书和私钥并将其提供给Fiddler.

1. The iOS app includes a client certificate+private key and the app developers use this to protect the communication API (a bit similar like an API key). In this case you have to extract the certificate and the private key and provide it to Fiddler. Most likely certificate and private key are the same for every device world-wide and can be found as static resource in the iOS app (potentially obfuscated or somehow protected).

服务器要求提供客户端证书，但是提供证书是可选的.我不知道小提琴手能否应付这种情况.

The server asks for a client certificate but providing a certificate is optional. I don't know if Fiddler can handle this situation.

这篇关于网络嗅探/SSL固定:使用Fiddler检测流量时，无法通过移动应用程序中的登录页面获取帖子的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！