This is a migrated thread and some comments may be shown as answers.

Error with HTTPS traffic due to certs with Xbox360

7 Answers 357 Views
Windows
This is a migrated thread and some comments may be shown as answers.
John
Top achievements
Rank 1
John asked on 27 Oct 2015, 02:03 PM

I am using fiddler as a proxy to an Xbox360 and I can't figure out why the certificates don't appear to be trusted.  This is the error I am getting and I have tried a few different solutions.

 

I have deployed the root certificate created by exporting the root certificate to the xbox360 itself and set another machine as the proxy.

Added fiddler root certificate to the Trusted Root Certificate Authorities on the proxy machine. 

 

When I run fiddler on the proxy machine I get a "tunnel to" with this exception.

 

12:55:47:1597 /Fiddler.CertMaker> Invoking makecert.exe with arguments: -pe -ss my -n "CN=*.sbx1.cdops.net, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha256 -m 132 -b 10/25/2014
12:55:47:3337 /Fiddler.CertMaker>8-CreateCert(*.sbx1.cdops.net) => (0).
12:55:47:3717 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.sbx1.cdops.net, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)

 

I did notice the root certificate is sha1 but the interception certificates are sha256.  Would that matter?  Our services webserver just needs to trust fiddler as a trusted authority right?  This used to work and we didn't have this certificate installed on the webserver previously so I'm leaning towards a configuration issue with my proxy machine.

 

I have also tried installing the certmaker plugin with the same error results.

 

Any help is appreciated,

 

John G.

7 Answers, 1 is accepted

Sort by
0
Eric Lawrence
Telerik team
answered on 27 Oct 2015, 10:09 PM
Hi, John--

I'm not sure I understand your configuration. Is it [WindowsPC with Fiddler] + [XBOX360]? Or is there another PC involved for some reason?

Specifically how did you configure the XBOX360 to trust Fiddler's certificate? Please keep in mind that every PC running Fiddler generates its own unique certificate, so you can't just put any "FiddlerRoot" certificate on the XBox and have it work.

The message: !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.sbx1.cdops.net, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)

... typically indicates that the client (presumably your XBOX360?) closed the connection as soon as it received the certificate from Fiddler. This typically happens when the client hasn't been configured to trust the root certificate and thus it assumes it is under attack and aborts. It would also happen if you'd put a FiddlerRoot certificate from "Machine A" on the Xbox but then tried to capture traffic from that Xbox using a Fiddler instance on "Machine B".

Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
John
Top achievements
Rank 1
answered on 28 Oct 2015, 07:05 PM

Hi Eric,

The configuration is WindowsPC with Fiddler and then the Xbox360.  We export the root certificate to the desktop and then copy that to the xbox360 certificate location.

 According to their documentation we just deploy the root certificate to the machine's certificate store.  I'm going to see if I can clear out that location on the xbox360.  It could be possible there are multiple fiddler certs deployed on it.  I'm not sure how the machine would handle a case like that but it's worth a test.

0
Eric Lawrence
Telerik team
answered on 28 Oct 2015, 07:24 PM
Hi, John--

If you had a configuration working previously and it stopped working, chances are good that it's related to Fiddler's recent change to use wildcard certificates. Please see this post for details on how you might resolve this problem.

Thanks!
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
John
Top achievements
Rank 1
answered on 28 Oct 2015, 07:56 PM
I followed the suggested fixes in that mentioned post and set the cert provider to certenroll and then also unchecked the use wildcards checkbox.  I then cleared all existing certs and deleted the cert from the xbox360 as well.  Then retrusted the new cert and exported it and redeployed it to the xbox360.  Unfortunately, the same error in the log happened.  I did notice that other https calls were not throwing the error so that tells me at least that the 360 trusting the cert is the issue.  I just need to find out how to get 360 to trust the cert.  I'm going to downgrade down to fiddler2 and see if that does anything.
0
John
Top achievements
Rank 1
answered on 28 Oct 2015, 08:20 PM
I downgraded to Fiddler2 with no change.  Time to check the xbox360 to see if it requires a specific type of cert.
0
Eric Lawrence
Telerik team
answered on 28 Oct 2015, 08:39 PM
"Unfortunately, the same error in the log happened.  "

I assume you mean to say "a similar error" occurred; if "the same error" occurred, it means your change to disable wildcard certificates was not effective.

Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
John
Top achievements
Rank 1
answered on 29 Oct 2015, 01:02 PM
yeah it was a similiar error only in that the CN changed to not have a wildcard character.  But the error itself was the same.
Tags
Windows
Asked by
John
Top achievements
Rank 1
Answers by
Eric Lawrence
Telerik team
John
Top achievements
Rank 1
Share this question
or