I use Fiddler2 to analyse some pages that use https connections. I enabled HTTPS decryption, but I still see some Tunnel to host:443 entries in my log. I can see decrypted HTTPS traffic in the log, so I assume the decyption works.
I think, that a Tunnel to host:443 entry is created in addition to the decrypted log entry when the connection is opened.
Is my assumption correct or did I miss something?
Yes, this is expected.
If you click on Tunnel to Host:443 you'll see the following on the Statistics tab:
The selected session is a HTTP CONNECT Tunnel. This tunnel enables a client to
send raw traffic (e.g. HTTPS-encrypted streams or WebSocket messages) through
a HTTP Proxy Server (like Fiddler).
You can automatically hide these tunnels if you like by clicking Rules > Hide Connects.