Setting up ProxyCap, Fiddler, and fixing SSL/TLS errors

The following diagram shows a Fiddler proxy (MITM) approach for decrypting HTTPS traffic from a remote machine.

I installed ProxyCap on the remote machine to redirect HTTPS / SSL / TLS traffic through a Fiddler proxy on another machine.

For those unfamiliar, ProxyCap is a utility that allows users to define “proxy rules” on a per-application basis instead of setting a global machine-wide proxy on a computer.

The application I was trying to proxy through Fiddler displayed the following error:

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Additionally, the Fiddler proxy machine would pop up an error dialog as shown below:

Session #2: The server (*) presented a certificate that did not validate, because it was issued to a different host.

SANs: …
SUBJECT: …

This warning can be disabled by clicking Tools > Fiddler Options.

The solution

In Fiddler, click Tools > Fiddler Options... and ensure Fiddler is setup to “allow remote computers to connect” as shown below:

Next, export the “root certificate” on the Fiddler proxy.

Copy the FiddlerRoot.cer to the remote machine. Right-click the FiddlerRoot.cer file on the remote machine and Install the certificate on the remote machine. Be sure to install the certificate into the “Trusted Root Certification Authorities” store as shown below:

Last but not least, on the remote machine, be sure to define proxy rules with “Resolve names remotely” checked in ProxyCap rules. This setting avoids IP and certificate mismatches.

And that’s all! Success!

Happy debugging,
Brian Chavez