Search code examples
javasslwebsocketproxyfiddler

Bypassing TLS certificate mismatch

I'm trying to capture websocket communication between my java client based on https://github.com/TakahikoKawasaki/nv-websocket-client and server wss://echo.websocket.org using Fiddler. I can listen to non secure connection(ws://) by redirecting the client to localhost:8888 with Proxifier or ProxyCap. With TLS however I get an error: The certificate of the peer does not match the expected hostname (echo.websocket.org). How can I solve this issue without modifying the client's source code? With browser(chrome/firefox) I can see everything without a problem (I trust Fiddler's root certificate). I'm using Windows 7.

Edit with more info:
I tried EricLaw solution, but the result is the same. I printed verification steps inside the client: 

//direct connection:
(SocketConnector)mSocket.InetAddress: echo.websocket.org/174.129.224.73
(SocketConnector)mSocket.getLocalSocketAddress: /192.168.0.100:2044
(SSLSession)verify: host=echo.websocket.org
(SSLSession)verify: cipher suite=TLS_RSA_WITH_AES_128_CBC_SHA256
(SSLSession)verify: peer host=echo.websocket.org
(SSLSession)verify: session.toString=[Session-1, 
TLS_RSA_WITH_AES_128_CBC_SHA256]
verifyHostName: hostName=echo.websocket.org, pattern=*.websocket.org
VERIFIED!

//proxy+fiddler:
(SocketConnector)mSocket.InetAddress: echo.websocket.org/174.129.224.73
(SocketConnector)mSocket.getLocalSocketAddress: /127.0.0.1:2039
(SSLSession)verify: host=echo.websocket.org
(SSLSession)verify: cipher suite=SSL_NULL_WITH_NULL_NULL
(SSLSession)verify: peer host=null
(SSLSession)verify: session.toString=[Session-1, SSL_NULL_WITH_NULL_NULL]

Inside Fiddler:
200 HTTP Tunnel to 174.129.224.73:443 proxifier:5840
There is no response to the CONNECT header (SessionID: empty). I also tried combinations of Protocols: <client>;ssl3;tls1.0;tls1.1;tls1.2
and I added FiddlerRoot.cer to java cacerts.
I would appreciate more ideas.

Edit 2
I had multiple java versions installed and I added the cert to a wrong keystore. The final solution was indeed oSession["x-OverrideCertCN"] = "*.websocket.org"; inside OnBeforeRequest function + cacert update.

Solution

  • The simplest mechanism would be to configure Fiddler to set the hostname of the certificate to echo.websocket.org (or whatever). 

    // Put the correct IP address or hostname in the next line.
if (oSession.uriContains("1.2.3.4")) {
    oSession["x-OverrideCertCN"] = "*.websocket.org";
}