As far as I know, SSL traffic cannot be decrypted without the proper certificate.
OK.
But why when I use cURL on PHP, and set it to go through Fiddler proxy on another host:
curl_setopt($ch, CURLOPT_PROXY, "192.168.2.182");
curl_setopt($ch, CURLOPT_PROXYPORT, "8888");
I still can see the created [Tunnels:443] and read HTTPS traffic without installing Fiddler's Certificate on the host running the PHP code.
PHP (linux) <---------------> Fiddler (192.168.2.182) <---------------> (Server:443)
Can someone explain what is happening here?
From the sound of it, you haven't configured curl to validate that the
server (Fiddler) has provided a valid certificate chain.
curl.haxx.se/docs/sslcerts.html - EricLaw
I wish this was posted as an answer.
Related
I have a LAMP web server running as a web server. I'm debugging its PHP code using Xdebug and PhpStorm.
I use Firefox with Xdebug helper enabled to send HTTP request to the web server, PhpStorm catches that request and starts debugging.
Now, I want PhpStorm to catch and debug any HTTP request to the web server (not only requests from Firefox+Xdebug helper). For example, I want to send HTTP requests via CURL/BURPSUITE for debugging purpose.
How can I do it?
If you want Xdebug to always (try to) make a connection, simply set xdebug.remote_autostart=1 in php.ini. Then regardless of whether the cookie (that the Firefox extension sets) is present, Xdebug will make a connection to your IDE.
The xdebug helper browser extension works by setting a cookie in the HTTP request so you could try setting a cookie but there is even simpler way - just append this url param (XDEBUG_SESSION_START) and it would trigger xdebug
$url='http://mywebsite.com?XDEBUG_SESSION_START=phpstorm';
curl_setopt($handle, CURLOPT_URL, $url);
It works in curl as well as in browser
Here phpstorm is the idekey I have configured in php.ini, so change it as per your settings
Installed postman from Chrome.
Getting error related to ssl certificate when posting https request.
Looks postman could not have SSL handshake with server, although server is working fine.
2021 Update:
For those interested to configure properly your certificates within Postman, please follow the below tutorials:
Postman: Working with certificates
How to Troubleshoot SSL Certificate & Server Connection Issues
Old solution, only disabling the SSL verification.
For anyone having this trouble.
Self-signed SSL certificates are being blocked:
Fix this by turning off 'SSL certificate verification' in Settings > General
So, just try to disable the SSL certificates in the Postman Settings.
After that, Postman was able to normally make POST requests through HTTPS.
Source: Postman help.
Open chrome and directly posting the https url for the post request, then reopen postman it works. Chrome browser did the SSL handshake and past the info to postman so postman can continue with https request.
Recently we have moved our website on new server and after that curl requests has stopped working. Our website is on Magento and we are using a plugin which sends request to a webservice using curl.
This code is working on local system and also in old server but on new server curl send the blank response.
I have also print the curl_error output and it is saying "couldn't connect to host". Please let me know if anyone has face this same issue.
is very explicit ... it means Failed to connect() to host or proxy.
The following code would work on any system:
$ch = curl_init("http://google.com"); // initialize curl handle
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$data = curl_exec($ch);
print($data);
If you can not see google page then .. your URL is wrong or you have some firewall or restriction issue.
I'm trying to get Fiddler to work with my company's proxy. Every external request is returning 407.
So far I've tried adding oSession.oRequest["Proxy-Authorization"] = "YOURCREDENTIALS"; to the customized rules where I used my USERNAME:PASSWORD in base64. Still no luck.
Any ideas? Thanks.
What worked for me was much more simpler:
Rules > Automatically Authenticate
Note: There is an answer with a higher voting available. Because of SO sorting it is below the accepted answer.
I had the same problem, too, and solved it like this:
Started Fiddler with it's standard configuration.
Started IE and made a HTTP-request to an external web-site.
The proxy authorization dialogue popped up, where I entered my credentials.
In Fiddler searched the request headers for "Proxy-Authorization".
Copied the header value which looked like "Basic sOMeBASE64eNCODEdSTRING=" to the clipboard.
Altered the CustomRules.js with the following line within OnBeforeRequest:
oSession.oRequest["Proxy-Authorization"] = "Basic sOMeBASE64eNCODEdSTRING=";
So my approach was quite similar to yours just that in advance I checked what kind of proxy authorization the server required by using Fiddler to debug the authorization header. That way I found out I had to add "Basic" before the Base64 encoded credentials and I didn't even have to use the tool to encode the credentials to Base64. Just copied the value from the proxy authorization header.
My Answer is simple. If your company proxy is NTLM, download ,setUp and configure cntlm. Route your fiddler to cntlm port by setting proxy settings.
Done! that is how i configured fiddler in my company
What version of Fiddler are you using?
Fiddler will automatically chain to your organization's proxy, and all current versions of Fiddler support passing of authentication information between the client and the authenticating proxy.
How are you generating the HTTP requests in question? What are the exact HTTP response headers?
http://blog.bareweb.eu/2010/10/http-debugging-fiddler-tip-1/
There's an entry in the "Rules" menu for Requiring Proxy Authentication. Use that and you should get a bit further!
Fiddler should pick up native proxy configuration automatically.
I'm looking to use cURL to login to Blackboard, a course management system used a many universities. (For example, http://blackboard.unh.edu)
How would I do this? Blackboard uses HTTPS certificates and cookies too I believe. Thanks!
Do a view source of "https://blackboard.unh.edu/webapps/portal/frameset.jsp" and figure out what form fields are login and password.
Then use curl's --data option to POST that data. If compiled w/ SSL, curl will handle https as easily as it handles http.
A truly ugly (but easy) option: install paros proxy and set your web browser to use it. Then you can see unencrypted the traffic that you're sending to the site.
An easy way to achieve this is to install the AutoSignOn Building Block at http://projects.oscelot.org/gf/project/autosignon/.
With that B2 installed all you need to do is craft the correct URL to login to Blackboard.