There seems to be a problem with Firefox version 36.0 onwards with the Fiddler HTTPS decryption option. The instructions at http://www.telerik.com/blogs/configuring-firefox-for-fiddler used to work for adding the Fiddler root certificate so that Firefox will trust the certificates that Fiddler issues. This is also the only way to trust Fiddler for HSTS (HTTP Strict Transport Security) sites because Firefox doesn't allow adding regular "exceptions" for those sites.
After updating Firefox, I found that the Fiddler root CA no longer works to connect to the HTTPS websites. Firefox gives a "ssl_error_bad_cert_domain" error. An example of what this looks like is:
www.google.com uses an invalid security certificate. The certificate is only valid for *.google.com (Error code: ssl_error_bad_cert_domain)
So this appears to be failing to match the wildcard domain (*.google.com) to the website (www.google.com) and rejecting the certificate as a result.
I tried downgrading back to different Firefox versions, and found that 35.0.1 is the last one that seems to work properly for the Fiddler HTTPS decryption, with 36.0 breaking this functionality.
I first reported this issue on Mozilla support: https://support.mozilla.org/en-US/questions/1090724
Is this a known bug / break in compatibility? Has anyone reported this issue yet and is there a known workaround?
11 Answers, 1 is accepted
Thanks for the clear bug report, which clearly demonstrates the problem.
The problem here is that Firefox 36+ apparently dropped support for wildcards (*.example.com) in the SubjectCN parameter, requiring that wildcards only appear in the SubjectAltNames field of the certificate.
The default Fiddler Certificate Provider (makecert) cannot generate certificates with SubjectAltNames, leading to this problem (which isn't present in IE or Chrome).
There are two simple workarounds for this; pick one:
Best Choice: Click Tools > Fiddler Options > HTTPS. Click "Certificates Generated By: Fiddler.DefaultCertificateProvider." In the box that appears, change the dropdown to "CertEnroll." CertEnroll generates more "modern" certificates containing SubjectAltNames and other features that improve performance. After you save this change, you will probably need to untick the "Decrypt HTTPS traffic" checkbox, click "Remove Interception Certificates" (accepting all prompts), then restart Fiddler and recheck the "Decrypt HTTPS traffic" checkbox (accepting all prompts). This will ensure you end up using the new certificate generator and none of the old cached certificates are used.
Ok Choice: Click Tools > Fiddler Options > HTTPS. Click "Certificates Generated By: Fiddler.DefaultCertificateProvider." In the box that appears, untick the Use Wildcards box. This will disable MakeCert's use of wildcards in certificates.
Regards,
Eric Lawrence
Telerik
Rank 1
I ​have used firefox 41 with fiddler4 for a while now, and HTTPS decryption broke just this morning, right after fiddler's auto update (v4.6.1.2). HTTPS decryption ​broke with other browsers also (tested with IE)​, so it has nothing to do with firefox in my case, especially since CertEnroll ​was already selected in ​my configuration.
What worked for me though is your 2nd workaround: unticking the "Use Wildcards" box.I'd be very interested to learn more about your configuration, including, specifically what error exactly you see in the browser(s) in question, and what, if any, messages appear in Fiddler's Log tab.
I use Fiddler without errors with CertEnroll and Wildcards enabled with Chrome, Firefox, Internet Explorer, and Microsoft Edge.
Regards,
Eric Lawrence
Telerik
Rank 1
The error displayed in chrome is (trying to access https://www.wikipedia.org/) :
NET::ERR_CERT_AUTHORITY_INVALIDSubject: *.wikipedia.orgIssuer: DO_NOT_TRUST_FiddlerRootExpires on: 28 oct. 2020Current date: 30 oct. 2015PEM encoded chain: -----BEGIN CERTIFICATE-----MIIDUzCCArygAwIBAgIQEvat4lP1RZ9A+JsIvq1HWzANBgkqhkiG9w0BAQsFADBnMSswKQYDVQQLDCJDcmVhdGVkIGJ5IGh0dHA6Ly93d3cuZmlkZGxlcjIuY29tMRUwEwYDVQQKDAxET19OT1RfVFJVU1QxITAfBgNVBAMMGERPX05PVF9UUlVTVF9GaWRkbGVyUm9vdDAeFw0xNDEwMjkwOTQwNThaFw0yMDEwMjgwOTQwNThaMF4xKzApBgNVBAsMIkNyZWF0ZWQgYnkgaHR0cDovL3d3dy5maWRkbGVyMi5jb20xFTATBgNVBAoMDERPX05PVF9UUlVTVDEYMBYGA1UEAwwPKi53aWtpcGVkaWEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoAMdPB/fRAVRGpxmLXcz9K1oGRH2f9DgPmm9w/N5kkBD61n3kRUyMxCFqhGV2kjwMWCuHkAIBssOOiECNf2BVX19+VTS18FRZrvqnryyOJzF0tB+h38RkmlcX3pZjvLg66ZLYLv9gRhvCgZYwrsuBeiSUZGnuWxmOERXZJ7is1CLHe8A62+WIFxDp8QpAucxP35YGYBA2m8CbDyHGRR36cDCE7PWNgRjvilHx4qPWOxVLXCDMSCl50jHjboBVuOCRJ9qEepP7Fk64SueK4PhlfhWo27ZCgR8FJExAsVZQU9uzQcKkQLkDPNqNN+eYg2wg+A5Ils4W540AM9HxzwuwIDAQABo4GEMIGBMA4GA1UdDwEB/wQEAwIEsDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNVHREEEzARgg8qLndpa2lwZWRpYS5vcmcwHwYDVR0jBBgwFoAUT4zDjagO4P8LxfMEgUyPrUNbtX0wHQYDVR0OBBYEFOh87fPTIrQ6G5kcPV7/NFZnQM+qMA0GCSqGSIb3DQEBCwUAA4GBAHbrbLGC9DMbqj29c7LtZk2T9d+r7RkM/8zEpcJsqu196voCCObyPeHQ7YSCUwWxfi+sriJ4IZxMT5s3vzJcxcTPiOK6FbKC4PBmJhfqrlKvqg/rbfsIqmGvxp6HUNwPxp0q309T2gXjwiT7hdbVsfK7eblKVvKlonXxldjzmxjy-----END CERTIFICATE-----Fiddler logs are:
20:12:46:1467 !SecureClientPipeDirect failed: System.IO.IOException Échec de l'authentification, car le site distant a fermé le flux de transport. for pipe (CN=*.wikipedia.org, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)When I disable wildcard certificates and restart fiddler, it works in all browsers (i.e. the root certificate is installed). The error is present on all HTTPS sites, not just the sites implementing HSTS.
The problem here is not actually related to wildcarding, but instead relates to the fact that the trust chain to the root certificate is broken. You can resolve this problem (using CertEnroll with wildcarding enabled) by resetting your certificates.
Regards,
Eric Lawrence
Telerik
Rank 1
Worked like a charm, thanks.
I remember having uninstalled / regenerated / reinstalled ​fiddler's root cert manually (in mmc.exe and firefox cert store) this morning, after the first time I notice​d the error, with no effect though... not sure why, especially ​since firefox uses its own store, ​so ​fiddler's "Remove Interception Certificates" button should have no effect on it and the cert reinstallation process is the same I did before.
Well, I must have missed something!
Rank 1
What is the error you are getting? Does it affect just Firefox? How did this start happening? Did you update Fiddler or did you update Firefox? Which version of Fiddler are you using?
Regards,
Tsviatko Yovtchev
Telerik
Rank 1
Rank 1
Rank 1
This was a brute force approach I used with FF 54.
Remove Firefox Completely
Uninstall FF via control panel
Delete all firefox data. (This was the easiest way to get rid of old certificates)
click the windows button
in 'Search programs and files' enter: %APPDATA%
a window explorer window opens to something like: C:\Users\<username>\AppData\Roaming
browse to Mozilla and delete the firefox folder.
Refresh Fiddler Certificates
Open Fiddler and go to Tools->Options->HTTPS
Unclick Decrypt HTTPS traffic
Click Actions->Remove Interception Certificates
Once they're removed, restart Fiddler
Return to Tools->Options->HTTPS
Re select Decrypt HTTPS Traffic (accept all prompts)
Click Actions->Export Root Certificate to Desktop
Reinstall Firefox
https://www.mozilla.org/en-US/firefox/
Goto the options drawer in upper right
Select Options->Advanced->Certificates
Uncheck Query OCSP
Select View Certificates->Authorities
Import the Certificate you exported from fiddler above
Restart Firefox
goto https://google.com and confirm it gets tracked by Fiddler.