Fiddler generated certificates considered invalid in iOS 15.1

Hi,

I have been using HTTPS decryption in Fiddler for years, to inspect the traffic to and from my app. And it has been working perfectly on my iPhone 6 Plus with iOS 12.5.5.

Recently I got an iPhone 11 with iOS 15.1, and find myself completely unable to get it to work 😢

Because I know, that requirements for certificates have been strengthened in recent versions of iOS, I have "reset" the certificate in Fiddler, letting it generate a new root certificate. I have successfully removed the old root certificate from the phones and installed the new Fiddler certificate on the iPhone 6 Plus, following Fiddler's "Capture Traffic from iOS Device" guide, which means installing the certificate, followed by enabling Full Trust for it - and everything works like a charm.

On the iPhone 11, I have also installed the certificate:

and enabled Full Trust for it:

And yet, if I visit a HTTPS site, like e.g. https://google.com/ in Safari, it will warn me that "This Connection Is Not Private", because the Fiddler generated leaf certificate is for some unknown reason considered invalid???

I have unfortunately not been able find any SSL-related apps, or other tools, which could help identify why the certificate is considered invalid.

In the hope that someone here could maybe be able to spot what iOS 15.1 might think wrong with the certificate, I have attached a screenshot of the information shown if I click the "view the certificate" link in the Safari warning page (I was unfortunately not allowed to attach an exported .cer file).

If I can get the problem identified, there should be a fair chance that Fiddler would also fix it 🤞

It looks like some users of Charles proxy might be experiencing a very similar issue: https://stackoverflow.com/questions/69906780/charles-proxy-network-trace-on-ios-15-1-device-iphone

(FYI. for some sites, Safari gives a different "This Connection Is Not Private" error, where it claims that the site is using deprecated TLS 1.0 or TLS 1.1:

)

TLSv1.3 makes TLS Miscreant-in-the-Middle (MITM) efforts harder, and that difficulty will likely only increase.

The reported cert validity is way too long, too. That should be a year, at most.

Best either code your app to mirror its own traffic, or maybe migrate your HTTPS traffic over to Mitmproxy and use that.

Based on what is reported here, I'd suspect that the MITM might also be downgrading some TLS connections.

FYI. Decrypting HTTPS traffic works just fine in Fiddler - iff you just follow the instructions 😀: https://docs.telerik.com/fiddler/configure-fiddler/tasks/configureforios

I just hadn't noticed that the instructions had been changed beginning of 2021 to specify that you now need to use another certificate generator (Bouncy Castle) than the default one used by Fiddler - most likely to be compliant with the new, strengthened certificate requirements in newer iOS versions ...

Fiddler generated certificates considered invalid in iOS 15.1
 
 
Q