Firefox 36.0 breaks Fiddler HTTPS decryption

11 posts, 0 answers
  1. a
    a avatar
    2 posts
    Member since:
    Oct 2015

    Posted 27 Oct 2015 Link to this post

    There seems to be a problem with Firefox version 36.0 onwards with the Fiddler HTTPS decryption option.  The instructions at http://www.telerik.com/blogs/configuring-firefox-for-fiddler used to work for adding the Fiddler root certificate so that Firefox will trust the certificates that Fiddler issues.  This is also the only way to trust Fiddler for HSTS (HTTP Strict Transport Security) sites because Firefox doesn't allow adding regular "exceptions" for those sites.

    After updating Firefox, I found that the Fiddler root CA no longer works to connect to the HTTPS websites.  Firefox gives a "ssl_error_bad_cert_domain" error.  An example of what this looks like is:

    www.google.com uses an invalid security certificate. The certificate is only valid for *.google.com (Error code: ssl_error_bad_cert_domain)

     

    So this appears to be failing to match the wildcard domain (*.google.com) to the website (www.google.com) and rejecting the certificate as a result.

    I tried downgrading back to different Firefox versions, and found that 35.0.1 is the last one that seems to work properly for the Fiddler HTTPS decryption, with 36.0 breaking this functionality.

    I first reported this issue on Mozilla support: https://support.mozilla.org/en-US/questions/1090724

     

    Is this a known bug / break in compatibility?  Has anyone reported this issue yet and is there a known workaround?

  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 28 Oct 2015 Link to this post

    Hi, a--

    Thanks for the clear bug report, which clearly demonstrates the problem.

    The problem here is that Firefox 36+ apparently dropped support for wildcards (*.example.com) in the SubjectCN parameter, requiring that wildcards only appear in the SubjectAltNames field of the certificate.

    The default Fiddler Certificate Provider (makecert) cannot generate certificates with SubjectAltNames, leading to this problem (which isn't present in IE or Chrome).

    There are two simple workarounds for this; pick one:

    Best Choice: Click Tools > Fiddler Options > HTTPS. Click "Certificates Generated By: Fiddler.DefaultCertificateProvider." In the box that appears, change the dropdown to "CertEnroll." CertEnroll generates more "modern" certificates containing SubjectAltNames and other features that improve performance. After you save this change, you will probably need to untick the "Decrypt HTTPS traffic" checkbox, click "Remove Interception Certificates" (accepting all prompts), then restart Fiddler and recheck the "Decrypt HTTPS traffic" checkbox (accepting all prompts). This will ensure you end up using the new certificate generator and none of the old cached certificates are used.

    Ok Choice: Click Tools > Fiddler Options > HTTPS. Click "Certificates Generated By: Fiddler.DefaultCertificateProvider." In the box that appears, untick the Use Wildcards box. This will disable MakeCert's use of wildcards in certificates.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. Maxime
    Maxime avatar
    3 posts
    Member since:
    Oct 2015

    Posted 30 Oct 2015 in reply to Eric Lawrence Link to this post

    I ​have used firefox 41 with fiddler4 for a while now, and HTTPS decryption broke just this morning, right after fiddler's auto update (v4.6.1.2). HTTPS decryption ​broke with other browsers also (tested with IE)​, so it has nothing to do with firefox in my case, especially since CertEnroll ​was already selected in ​my configuration.

    What worked for me though is your 2nd workaround: unticking the "Use Wildcards" box.
  4. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 30 Oct 2015 Link to this post

    Hello, Maxime--

    I'd be very interested to learn more about your configuration, including, specifically what error exactly you see in the browser(s) in question, and what, if any, messages appear in Fiddler's Log tab.

    I use Fiddler without errors with CertEnroll and Wildcards enabled with Chrome, Firefox, Internet Explorer, and Microsoft Edge.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  5. Maxime
    Maxime avatar
    3 posts
    Member since:
    Oct 2015

    Posted 30 Oct 2015 in reply to Eric Lawrence Link to this post

    The error displayed in chrome is (trying to access https://www.wikipedia.org/) :

    NET::ERR_CERT_AUTHORITY_INVALID
    Subject: *.wikipedia.org
    Issuer: DO_NOT_TRUST_FiddlerRoot
    Expires on: 28 oct. 2020
    Current date: 30 oct. 2015
    PEM encoded chain: -----BEGIN CERTIFICATE-----
    MIIDUzCCArygAwIBAgIQEvat4lP1RZ9A+JsIvq1HWzANBgkqhkiG9w0BAQsFADBn
    MSswKQYDVQQLDCJDcmVhdGVkIGJ5IGh0dHA6Ly93d3cuZmlkZGxlcjIuY29tMRUw
    EwYDVQQKDAxET19OT1RfVFJVU1QxITAfBgNVBAMMGERPX05PVF9UUlVTVF9GaWRk
    bGVyUm9vdDAeFw0xNDEwMjkwOTQwNThaFw0yMDEwMjgwOTQwNThaMF4xKzApBgNV
    BAsMIkNyZWF0ZWQgYnkgaHR0cDovL3d3dy5maWRkbGVyMi5jb20xFTATBgNVBAoM
    DERPX05PVF9UUlVTVDEYMBYGA1UEAwwPKi53aWtpcGVkaWEub3JnMIIBIjANBgkq
    hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoAMdPB/fRAVRGpxmLXcz9K1oGRH2f9D
    gPmm9w/N5kkBD61n3kRUyMxCFqhGV2kjwMWCuHkAIBssOOiECNf2BVX19+VTS18F
    RZrvqnryyOJzF0tB+h38RkmlcX3pZjvLg66ZLYLv9gRhvCgZYwrsuBeiSUZGnuWx
    mOERXZJ7is1CLHe8A62+WIFxDp8QpAucxP35YGYBA2m8CbDyHGRR36cDCE7PWNgR
    jvilHx4qPWOxVLXCDMSCl50jHjboBVuOCRJ9qEepP7Fk64SueK4PhlfhWo27ZCgR
    8FJExAsVZQU9uzQcKkQLkDPNqNN+eYg2wg+A5Ils4W540AM9HxzwuwIDAQABo4GE
    MIGBMA4GA1UdDwEB/wQEAwIEsDATBgNVHSUEDDAKBggrBgEFBQcDATAaBgNVHREE
    EzARgg8qLndpa2lwZWRpYS5vcmcwHwYDVR0jBBgwFoAUT4zDjagO4P8LxfMEgUyP
    rUNbtX0wHQYDVR0OBBYEFOh87fPTIrQ6G5kcPV7/NFZnQM+qMA0GCSqGSIb3DQEB
    CwUAA4GBAHbrbLGC9DMbqj29c7LtZk2T9d+r7RkM/8zEpcJsqu196voCCObyPeHQ
    7YSCUwWxfi+sriJ4IZxMT5s3vzJcxcTPiOK6FbKC4PBmJhfqrlKvqg/rbfsIqmGv
    xp6HUNwPxp0q309T2gXjwiT7hdbVsfK7eblKVvKlonXxldjzmxjy
    -----END CERTIFICATE-----

    Fiddler logs are:

    20:12:46:1467 !SecureClientPipeDirect failed: System.IO.IOException Échec de l'authentification, car le site distant a fermé le flux de transport. for pipe (CN=*.wikipedia.org, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)

    When I disable wildcard certificates and restart fiddler, it works in all browsers (i.e. the root certificate is installed). The error is present on all HTTPS sites, not just the sites implementing HSTS.

  6. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 30 Oct 2015 Link to this post

    Hi, Maxime--

    The problem here is not actually related to wildcarding, but instead relates to the fact that the trust chain to the root certificate is broken. You can resolve this problem (using CertEnroll with wildcarding enabled) by resetting your certificates.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  7. Maxime
    Maxime avatar
    3 posts
    Member since:
    Oct 2015

    Posted 30 Oct 2015 in reply to Eric Lawrence Link to this post

    Worked like a charm, thanks.

    I remember having uninstalled / regenerated / reinstalled ​fiddler's root cert manually (in mmc.exe and firefox cert store) this morning, after the first time I notice​d the error, with no effect though... not sure why, especially ​since firefox uses its own store, ​so ​fiddler's "Remove Interception Certificates" button should have no effect on it and the cert reinstallation process is the same I did before.

    Well, I must have missed something!

  8. jon
    jon avatar
    1 posts
    Member since:
    Jun 2016

    Posted 02 Jun in reply to Maxime Link to this post

    I'm on Firefox 46 and neither of your recommendations work unfortunately.
  9. Tsviatko Yovtchev
    Admin
    Tsviatko Yovtchev avatar
    408 posts

    Posted 07 Jun Link to this post

    Hello jon,

    What is the error you are getting? Does it affect just Firefox? How did this start happening? Did you update Fiddler or did you update Firefox? Which version of Fiddler are you using?

    Regards,
    Tsviatko Yovtchev
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  10. Gustavo
    Gustavo avatar
    1 posts
    Member since:
    Aug 2016

    Posted 05 Aug Link to this post

    I am also having problems with firefox (currently version 47). IE 11 and Chrome 51 work without problems. I am using Telerik Fiddler Web Debugger (v4.6.2.30081) and tried reseting the certificates/unticking wildcard as suggested above. Unfortunately, Firefox still gives me the "Your connection is not secure" error.
  11. Eddy
    Eddy avatar
    1 posts
    Member since:
    Aug 2016

    Posted 19 Aug Link to this post

    I had the same issue until I connected the two comments: firefox having its own CERT store PLUS Cert Authority Chain broken.  Turns out the simple solution (I'm on Firefox 48.0.1) is to download the FiddlerRoot CERT via http://127.0.0.1:8888 within Firefox and install that for Firefox. After that, everything worked like a charm even for sites with HSTS.
Back to Top