遇到有些APP的HTTPS請求無法抓取!錯誤提示: !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < An unknown error occurred while processing the certificate for pipe (CN=*.umeng.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com).
google了下,貌似有些APP的證書不能隨便構造,
這個回答提到了一種叫Certificate Pinning(證書鎖定)的機制 https://stackoverflow.com/questions/33382870/how-to-capture-httpstls-1-0-communications-from-android-app-with-fiddler4
官方說:
From the Fiddler book:
Certificate Pinning
A very small number of HTTPS client applications support a feature known as “Certificate Pinning” whereby the client application is hardcoded to accept only one specific certificate. Even if the connection uses a certificate that chains to a root that is otherwise fully-trusted by the operating system, such applications will refuse to accept an unexpected certificate.
To date, some Twitter and Dropbox apps include this feature, and Windows 8 Metro apps may opt-in to requiring specific certificates rather than relying upon the system’s Trusted Root store. Firefox’s automatic browser update feature will silently fail when Fiddler is decrypting its traffic. The Microsoft Security toolkit named EMET can enable pinning in any application for certain “high-value” sites (including Windows Live). The Chrome browser supports pinning, but it exempts locally-trusted roots like Fiddler’s.
When a Certificate-Pinned application performs a HTTPS handshake through a CONNECT tunnel to Fiddler, it will examine the response’s certificate and refuse to send any further requests when it discovers the Fiddler-generated certificate. Unfortunately, there is no general-purpose workaround to resolve this; the best you can do is to exempt that application’s traffic from decryption using the HTTPS tab or by setting the x-no-decrypt Session flag on the CONNECT tunnel. The flag will prevent Fiddler from decrypting the traffic in the tunnel and it will flow through Fiddler uninterrupted.
A very small number of HTTPS client applications support a feature known as “Certificate Pinning” whereby the client application is hardcoded to accept only one specific certificate. Even if the connection uses a certificate that chains to a root that is otherwise fully-trusted by the operating system, such applications will refuse to accept an unexpected certificate. To date, some Twitter and Dropbox apps include this feature, and Windows 8 Metro apps may opt-in to requiring specific certificates rather than relying upon the system’s Trusted Root store. Firefox’s automatic browser update feature will silently fail when Fiddler is decrypting its traffic. The Microsoft Security toolkit named EMET can enable pinning in any application for certain “high-value” sites (including Windows Live). The Chrome browser supports pinning, but it exempts locally-trusted roots like Fiddler’s. When a Certificate-Pinned application performs a HTTPS handshake through a CONNECT tunnel to Fiddler, it will examine the response’s certificate and refuse to send any further requests when it discovers the Fiddler-generated certificate.
Unfortunately, there is no general-purpose workaround to resolve this; the best you can do is to exempt that application’s traffic from decryption using the HTTPS tab or by setting the x-no-decrypt Session flag on the CONNECT tunnel. The flag will prevent Fiddler from decrypting the traffic in the tunnel and it will flow through Fiddler uninterrupted.
If you're very serious about circumventing pinning, you can jailbreak the device and use any of a number of 3rd party toolkits to disable the pinning code.
機器翻譯:
少數HTTPS客戶端應用程序支持一種稱為“證書固定”的特性,通過這種特性,客戶端應用程序被硬編碼為只接受一個特定的證書。即使連接使用證書鏈接到操作系統完全信任的根,此類應用程序也將拒絕接受意外的證書。
到目前為止,一些Twitter和Dropbox的應用程序都有這個功能,Windows 8 Metro應用程序可能會選擇要求特定的證書,而不是依賴於系統的可信根存儲。當Fiddler解密其通信流時,Firefox的自動瀏覽器更新功能將會悄無聲息地失敗。名為EMET的Microsoft安全工具包可以在任何應用程序中為某些“高價值”站點(包括Windows Live)啟用固定。Chrome瀏覽器支持“釘住”,但它免除了像Fiddler這樣的本地可信根。
當證書固定的應用程序通過連接隧道到Fiddler執行HTTPS握手時,它將檢查響應的證書,並在發現Fiddler生成的證書時拒絕發送任何進一步的請求。不幸的是,沒有通用的解決方案;您所能做的最好的事情就是使用HTTPS選項卡或通過在CONNECT通道上設置x-no-decrypt會話標志來免除應用程序的通信流的解密。旗子將阻止Fiddler解密隧道中的交通,它將不受干擾地通過Fiddler。
少數HTTPS客戶端應用程序支持一種稱為“證書固定”的特性,通過這種特性,客戶端應用程序被硬編碼為只接受一個特定的證書。即使連接使用證書鏈接到操作系統完全信任的根,此類應用程序也將拒絕接受意外的證書。到目前為止,一些Twitter和Dropbox的應用程序都有這個功能,Windows 8 Metro應用程序可能會選擇要求特定的證書,而不是依賴於系統的可信根存儲。當Fiddler解密其通信流時,Firefox的自動瀏覽器更新功能將會悄無聲息地失敗。名為EMET的Microsoft安全工具包可以在任何應用程序中為某些“高價值”站點(包括Windows Live)啟用固定。Chrome瀏覽器支持“釘住”,但它免除了像Fiddler這樣的本地可信根。當證書固定的應用程序通過連接隧道到Fiddler執行HTTPS握手時,它將檢查響應的證書,並在發現Fiddler生成的證書時拒絕發送任何進一步的請求。
不幸的是,沒有通用的解決方案;您所能做的最好的事情就是使用HTTPS選項卡或通過在CONNECT通道上設置x-no-decrypt會話標志來免除應用程序的通信流的解密。旗子將阻止Fiddler解密隧道中的交通,它將不受干擾地通過Fiddler。
如果你非常認真地想要繞過釘住,你可以越獄設備並使用第三方工具包中的任何一個來禁用釘住代碼。
大概意思就是Fiddler對這種APP的證書認證機制無能為力,只能望洋興嘆!嗚呼哀哉!
有能解決這個問題的朋友麻煩留言下!!謝謝!