c# – 在Safari,IE和iOS设备上使用Fiddler信任证书并捕获流量

前端之家收集整理的这篇文章主要介绍了c# – 在Safari,IE和iOS设备上使用Fiddler信任证书并捕获流量前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我在 gist here中设置了我的Fiddler代理.

码:

public class ProxyConfig
    {
        private readonly string _secureEndpointHostname = IPAddress.Any.ToString();
        private readonly int _secureEndpointPort = 4555;
        private readonly int _port = 18882;

        private static readonly ICollection<Session> AllSessions = new List<Session>();

        private static Fiddler.Proxy _secureEndpoint;

        private static readonly LoggerCnx Logger = new LoggerCnx();
        private Action<string> onRequest;

        public ProxyConfig()
        {
        }

        public ProxyConfig(Action<string> onRequest)
        {
            this.onRequest = onRequest;
        }

        public void SetupProxyListener()
        {
            FiddlerApplication.SetAppDisplayName("FiddlerCoreProxyApp");

            // This is a workaround for known issue in .NET Core - https://github.com/dotnet/coreclr/issues/12668
            CultureInfo.DefaultThreadCurrentUICulture = new CultureInfo("en-US");

            // Simply echo notifications to the console.  Because Fiddler.CONFIG.QuietMode=true 
            // by default,we must handle notifying the user ourselves.
            //Fiddler.FiddlerApplication.OnNotification += delegate (object sender,NotificationEventArgs oNEA) { System.Diagnostics.Debug.WriteLine("** NotifyUser: " + oNEA.NotifyString); };
            FiddlerApplication.Log.OnLogString += delegate (object sender,LogEventArgs oLEA) { Logger.Info("** LogString: " + oLEA.LogString); };

            FiddlerApplication.BeforeRequest += delegate (Session session)
            {

                if (!CertMaker.rootCertIsTrusted())
                {
                    CertMaker.trustRootCert();
                }

                if (onRequest != null)
                {
                    onRequest(session.fullUrl);
                }

                // In order to enable response tampering,buffering mode MUST
                // be enabled; this allows FiddlerCore to permit modification of
                // the response in the BeforeResponse handler rather than streaming
                // the response to the client as the response comes in.
                session.bBufferResponse = false;
                lock (AllSessions)
                {
                    AllSessions.Add(session);
                    Logger.Info("Session: " + session.fullUrl);
                }
                session["X-AutoAuth"] = "(default)";

                if ((session.oRequest.pipeClient.LocalPort == _secureEndpointPort) && (session.hostname == _secureEndpointHostname))
                {
                    session.utilCreateResponseAndBypassServer();
                    session.oResponse.headers.SetStatus(200,"OK");
                    session.oResponse["Content-Type"] = "text/html; charset=UTF-8";
                    session.oResponse["Cache-Control"] = "private,max-age=0";
                    session.utilSetResponseBody("<html><body>Request for httpS://" + _secureEndpointHostname + ":" + _secureEndpointPort.ToString() + " received. Your request was:<br /><plaintext>" + session.oRequest.headers.ToString());
                }
            };

            Logger.Info($"Starting {FiddlerApplication.GetVersionString()}...");
            CONFIG.IgnoreServerCertErrors = true;
            CONFIG.bCaptureCONNECT = true;

            FiddlerApplication.Prefs.SetBoolPref("fiddler.network.streaming.abortifclientaborts",true);

            FiddlerCoreStartupFlags startupFlags = FiddlerCoreStartupFlags.Default;

            startupFlags = (startupFlags | FiddlerCoreStartupFlags.DecryptSSL);
            startupFlags = (startupFlags | FiddlerCoreStartupFlags.AllowRemoteClients);
            startupFlags = (startupFlags & ~FiddlerCoreStartupFlags.MonitorAllConnections);
            startupFlags = (startupFlags & ~FiddlerCoreStartupFlags.CaptureLocalhostTraffic);

            FiddlerApplication.Startup(_port,startupFlags);

            Logger.Info("Created endpoint listening on port {0}",_port);

            Logger.Info("Starting with settings: [{0}]",startupFlags);
            Logger.Info("Gateway: {0}",CONFIG.UpstreamGateway.ToString());

            // Create a HTTPS listener,useful for when FiddlerCore is masquerading as a HTTPS server
            // instead of acting as a normal CERN-style proxy server.
            _secureEndpoint = FiddlerApplication.CreateProxyEndpoint(_secureEndpointPort,true,_secureEndpointHostname);
            if (null != _secureEndpoint)
            {
                Logger.Info("Created secure endpoint listening on port {0},using a HTTPS certificate for '{1}'",_secureEndpointPort,_secureEndpointHostname);
            }
        }
    }

其目的是捕获和分析来自Windows,Mac OS X,Android和iOS浏览器(主要是桌面和移动设备上的Chrome,Firefox和Safari)的流量.

到目前为止,它似乎正在努力:

> Windows浏览器:Chrome,Firefox.不适用于IE和Edge
> Android:Chrome
> Mac OS:Chrome,Firefox. Safari无法正常工作
> iOS:没有

在我的日志文件中,我看到Fiddler在浏览器无法正常工作时记录以下错误(适用于所有设备). HTTPS请求的示例:

2018-02-14 17:25:50.3860 | INFO | ** LogString:
!SecureClientPipeDirect Failed: System.IO.IOException Authentication
Failed because the remote party has closed the transport stream. for
pipe (CN=*.optimizely.com,O=DO_NOT_TRUST_BC,OU=Created by
07001)

从我在过去几天读到的试图为此找到解决方案的内容来看,原因是设备上不信任的证书.

这些测试使用他们提供的名为BrowserStack Local的功能在BrowserStack上运行.有关它的详细信息是herehere.

现在我的问题可以分为桌面和移动:

>为什么Chrome和Firefox能够发出HTTPS请求,而IE,Edge和Safari却无法做到这一点?
>对于iOS,特别是有一个Fiddler for iOS文档here,指定了配置设备所需的步骤.但是,正如我已经提到的,我不使用内部iOS设备,而是使用BrowserStack提供的物理设备.有没有办法以编程方式信任iOS设备(iOS 9.x,iOS 10.x,iOS 11.x)上的证书?

我可以使用任何变通方法吗?

编辑:
FiddlerCore and BrowserStack Local logs are here.

解决方法

从您的第二个问题开始,官方 Telerik论坛上有关于IOS设备的讨论说明:

SSL2 shouldn’t ever be enabled,and it isn’t enabled in Fiddler unless
you go out of the way to shoot yourself in the foot.

If you’ve properly configured your iOS device to trust Fiddler’s root
certificate,then HTTPS interception will work properly in clients
except where certificate pinning is in use. While Certificate Pinning
in Chrome won’t matter on the Desktop,on iOS they ignore the Trusted
Certificates store and as a consequence Fiddler interception will not
work. But most sites and apps do not use pinning. If a site or app
uses pinning,there’s no workaround short of jailbreaking the device.
This isn’t a limitation unique to Fiddler– every HTTPS-decrypting
proxy has exactly the same limitation.

我想这将回答你的第一个答案以及IE正在使用证书固定以及我记得很多.

猜你在找的C#相关文章