Fiddler and 3rd Party Certificates.

7 posts, 0 answers
  1. Juan
    Juan avatar
    4 posts
    Member since:
    Apr 2014

    Posted 21 Apr 2014 Link to this post

    Hello Forum,
    I work for a company called ePay and I was wondering if someone could assist me with a certificate issue.
    Our company uses a Digital Certificate with our customers and it seems we might be having some compatibility issues with Fiddler.
    My question is the following:
    Since we have a certificate installed and imported into the browser (e.g. IE10) and then Fiddler adds a Do_Not_Trust_FiddlerRoot Certificate which causes the compatibility issues. I read that a fix would be to move the certificate from the personal folder to the "Trusted Certificates" folder, but I want to confirm this would be the ideal fix and that I wouldn't disrupt or disconfigure any settings in Fiddler.
    And my second question is;
    What type of problems could we expect if the Do_Not_Trust_FiddlerRoot is left on the personal folder? (problems with OUR certificate)
    And my last question is:
    Would any configuration be lost if they DELETED the Do_Not_Trust_FiddlerRoot certificate?

    Thanks for the help.

    Juan Posada
    ePay Customer Service Trainer
  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 22 Apr 2014 Link to this post

    Hi, Juan--

    You'll need to be more specific about what exactly it is that you're trying to accomplish and what "compatibility issues" you are encountering.

    What sort of certificate have you "installed" and what exactly is the problem you're having?

    Thanks,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  3. Juan
    Juan avatar
    4 posts
    Member since:
    Apr 2014

    Posted 22 Apr 2014 in reply to Eric Lawrence Link to this post

    Hi Eric,

    Sorry I'll try to be more specific.
    My company uses a Digital Certificate to authenticate users on a website. In order for them to access the website they must "install" the certificate or else they get an error "403.7 Forbidden".
    When one of our customers has fiddler installed. under internet options > content > Certificates, there are a lot of certificates created with root: Do_Not_Trust_FiddlerRoot for a bunch of different websites and it makes one that matches our certificate.
    When this happens and they try to access our website they are getting the error "403.7 Forbidden" and they are unable to authenticate themselves. 
    Now I believe that they have installed fiddler on their computers for a reason but they also need to be able to access our website.
    So my question is:
    What would be the best way to avoid Fiddler from blocking our Digital Certificate and preventing the user authentication on our website?


    We have had some people delete the certificate and then it works but I'm not sure if Fiddler will just create a new copy or if it could change some configuration.
    I read that we could move the certificate from the personal file to the trusted certificates file but never actually tested it.

    If you need more information, what do you need?
  4. Juan
    Juan avatar
    4 posts
    Member since:
    Apr 2014

    Posted 22 Apr 2014 Link to this post

    This is a screenshot where you can see the DC list of a user and you'll see that there are 2 for webpos (my company's website). 
  5. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 23 Apr 2014 Link to this post

    Hello, Juan--

    What you're describing is that the client is required to present a ClientCertificate when authenticating to your website. When running Fiddler, Fiddler will not automatically challenge the client to provide a certificate and as a consequence the login will fail while Fiddler is running. Manual configuration of Fiddler is required to allow Fiddler to present a client certificate on the user's behalf; this process is described here: http://fiddlerbook.com/Fiddler/help/httpsclientcerts.asp

    Now, it sounds like you might be saying that users are having problems logging in even when Fiddler is not running. That would not make very much sense, as the certificates that Fiddler uses do NOT contain the ClientAuthentication key usage flag and thus their presence should have absolutely no impact whatsoever on the client when Fiddler is not running.

    Fiddler's certificates can be automatically cleaned up ever time Fiddler exits; see https://groups.google.com/forum/#!topic/httpfiddler/Yg4G7SWl3bo

    thanks for the extra info,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  6. Juan
    Juan avatar
    4 posts
    Member since:
    Apr 2014

    Posted 23 Apr 2014 in reply to Eric Lawrence Link to this post

    Hello Eric,
    Thanks for the update.
    This is great information, I'll make sure to pass it around to our Fiddler using customers.
    Just one more question if you don't mind: what would happen to the Fiddler users that have had their certificate erased?
    Meaning:
    If one of our agents removes/deletes the webpos.epayworldwide fiddler certificate. Would that be harmful to your software in any way?
    If one of our agents already did it, does the user need to do anything extra to avoid a software misconfiguration?
    Thanks for your replies!!

    Blessings,
    John
  7. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 24 Apr 2014 Link to this post

    Hello,

    Deleting the "webpos.epayworldwide.com" certificate won't do anything harmful (and that's what the CleanupServerCertsOnExit preference does); Fiddler will recreate that certificate if and when needed.

    If the user were to delete the DO_NOT_TRUST root certificate, that would be bad.

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
Back to Top