I am working on the authentication and protection against Fiddler and its counterparts simultaneously. I have found a lot of resources online that could help me with this, but I haven't achieved the desired results. Below, I have attached everything I have tried.
I also found an interesting piece of code on Github that uses ElectronJS and does exactly what I need. I attempted to replicate it in Java, but again, I was unsuccessful.
I hope you can help me; I have been struggling with this for a long time.
ElectronJS part (from Github)
session.setCertificateVerifyProc((request, callback) => {
if (request.certificate.issuer.commonName == 'DO_NOT_TRUST_FiddlerRoot') {
// 假设现在安装的是 Fiddler 的证书
callback(-2) // 如果不符合预期,传入 -2 驳回
} else {
callback(-3) // -3 表示使用 Chromium 的验证结果,0 表示成功并禁止使用证书透明度验证
}
})
My attempt to replicate
SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();
SSLSocket socket = (SSLSocket) factory.createSocket("XXX", 443);
socket.startHandshake();
SSLSession session = socket.getSession();
for (Certificate certificate : session.getPeerCertificates()) {
X509Certificate cert = (X509Certificate) certificate;
System.out.println(cert.getIssuerDN().getName());
if (cert.getIssuerDN().getName().contains("DO_NOT_TRUST_FiddlerRoot")) {
throw new SSLHandshakeException("Invalid certificate");
}
}
The result when Fiddler is not running
CN=GlobalSign ECC OV SSL CA 2018, O=GlobalSign nv-sa, C=BE CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5 CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
The result when Fiddler is running
CN=GlobalSign ECC OV SSL CA 2018, O=GlobalSign nv-sa, C=BE CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5 CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
The Fiddler HTTPS certificate is installed, everything is good with that
And many, many other options, tried using not just getPeerCertificates, but for example getLocalCertificates, but it returned null