Error with HTTPS traffic due to certs with Xbox360

8 posts, 0 answers
  1. John
    John avatar
    5 posts
    Member since:
    Oct 2015

    Posted 27 Oct 2015 Link to this post

    I am using fiddler as a proxy to an Xbox360 and I can't figure out why the certificates don't appear to be trusted.  This is the error I am getting and I have tried a few different solutions.

     

    I have deployed the root certificate created by exporting the root certificate to the xbox360 itself and set another machine as the proxy.

    Added fiddler root certificate to the Trusted Root Certificate Authorities on the proxy machine. 

     

    When I run fiddler on the proxy machine I get a "tunnel to" with this exception.

     

    12:55:47:1597 /Fiddler.CertMaker> Invoking makecert.exe with arguments: -pe -ss my -n "CN=*.sbx1.cdops.net, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha256 -m 132 -b 10/25/2014
    12:55:47:3337 /Fiddler.CertMaker>8-CreateCert(*.sbx1.cdops.net) => (0).
    12:55:47:3717 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.sbx1.cdops.net, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)

     

    I did notice the root certificate is sha1 but the interception certificates are sha256.  Would that matter?  Our services webserver just needs to trust fiddler as a trusted authority right?  This used to work and we didn't have this certificate installed on the webserver previously so I'm leaning towards a configuration issue with my proxy machine.

     

    I have also tried installing the certmaker plugin with the same error results.

     

    Any help is appreciated,

     

    John G.

  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 27 Oct 2015 Link to this post

    Hi, John--

    I'm not sure I understand your configuration. Is it [WindowsPC with Fiddler] + [XBOX360]? Or is there another PC involved for some reason?

    Specifically how did you configure the XBOX360 to trust Fiddler's certificate? Please keep in mind that every PC running Fiddler generates its own unique certificate, so you can't just put any "FiddlerRoot" certificate on the XBox and have it work.

    The message: !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.sbx1.cdops.net, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)

    ... typically indicates that the client (presumably your XBOX360?) closed the connection as soon as it received the certificate from Fiddler. This typically happens when the client hasn't been configured to trust the root certificate and thus it assumes it is under attack and aborts. It would also happen if you'd put a FiddlerRoot certificate from "Machine A" on the Xbox but then tried to capture traffic from that Xbox using a Fiddler instance on "Machine B".

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. John
    John avatar
    5 posts
    Member since:
    Oct 2015

    Posted 28 Oct 2015 in reply to Eric Lawrence Link to this post

    Hi Eric,

    The configuration is WindowsPC with Fiddler and then the Xbox360.  We export the root certificate to the desktop and then copy that to the xbox360 certificate location.

     According to their documentation we just deploy the root certificate to the machine's certificate store.  I'm going to see if I can clear out that location on the xbox360.  It could be possible there are multiple fiddler certs deployed on it.  I'm not sure how the machine would handle a case like that but it's worth a test.

  4. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 28 Oct 2015 Link to this post

    Hi, John--

    If you had a configuration working previously and it stopped working, chances are good that it's related to Fiddler's recent change to use wildcard certificates. Please see this post for details on how you might resolve this problem.

    Thanks!
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  5. John
    John avatar
    5 posts
    Member since:
    Oct 2015

    Posted 28 Oct 2015 in reply to Eric Lawrence Link to this post

    I followed the suggested fixes in that mentioned post and set the cert provider to certenroll and then also unchecked the use wildcards checkbox.  I then cleared all existing certs and deleted the cert from the xbox360 as well.  Then retrusted the new cert and exported it and redeployed it to the xbox360.  Unfortunately, the same error in the log happened.  I did notice that other https calls were not throwing the error so that tells me at least that the 360 trusting the cert is the issue.  I just need to find out how to get 360 to trust the cert.  I'm going to downgrade down to fiddler2 and see if that does anything.
  6. John
    John avatar
    5 posts
    Member since:
    Oct 2015

    Posted 28 Oct 2015 in reply to John Link to this post

    I downgraded to Fiddler2 with no change.  Time to check the xbox360 to see if it requires a specific type of cert.
  7. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 28 Oct 2015 Link to this post

    "Unfortunately, the same error in the log happened.  "

    I assume you mean to say "a similar error" occurred; if "the same error" occurred, it means your change to disable wildcard certificates was not effective.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  8. John
    John avatar
    5 posts
    Member since:
    Oct 2015

    Posted 29 Oct 2015 in reply to Eric Lawrence Link to this post

    yeah it was a similiar error only in that the CN changed to not have a wildcard character.  But the error itself was the same.
Back to Top