Fiddler is a handy tool which sits between two applications act as a proxy. It includes the ability to view, decrypt HTTP or HTTPS traffic for debugging proposes. For instance, we need capture the all HTTP or HTTPS request/responses from client Java program to the server, and the HTTPS-secured traffic should be decrypted to plain text and displayed in Fiddler.
1. Configure Fiddler as proxy and listens on port
Click on Tools -> Fiddler Options, to open the Fiddler Options dialog. Switch to the Connections tab, make sure the default Fiddler listens on port 8888 and select “act as system proxy on startup”.
2. Export Fiddler is Root Certificate and Import to JRE Keystore
Switch to the HTTPS tab. Ensure the Decrypt HTTPS traffic checkbox is checked. Click the Export Fiddler Root Certificate to Desktop button, this will generate the file: FiddlerRoot.cer on your Desktop.
The Fiddler’s certificate is self-signed and not trusted by the JDK or web browser (since Fiddler is not a Trusted Root Certification authority), and hence we need import this Fiddler certificate into your local JVM trust keystore by the following command.
keytool -import -alias fiddlercert -file fiddlerRoot.cer -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
Tips: Fiddler2 relies on a “man-in-the-middle” approach to HTTPS interception. To the client program or web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser. In order to pretend to be the web server and dynamically generates a HTTPS certificate.
3. Start the Java program with Fiddler as the proxy
Configure the client Java program launch with Fiddler as the proxy, Here ire the VM args to configure the fiddler proxy:
jre -DproxySet=true -DproxyHost=127.0.0.1 -DproxyPort=8888 MyApp
Alternatively, we can modify the code to set system HTTP and HTTPS proxyHost and port.
System.setProperty(“http.proxyHost”, “127.0.0.1″);
System.setProperty(“https.proxyHost”, “127.0.0.1″);
System.setProperty(“http.proxyPort”, “8888″);
System.setProperty(“https.proxyPort”, “8888″);
4. Monitor HTTPS request and response in Inspectors tab
Once you launch your client program, you should clearly view the HTTPS session (request and response) in Inspectors tab.
