Firefox 41 - cannot access HTTPS sites when HTTPS decryption is enabled in Fiddler

7 posts, 0 answers
  1. John
    John avatar
    4 posts
    Member since:
    Oct 2015

    Posted 28 Oct 2015 Link to this post

    When running Fiddler with HTTPS decryption enabled, browsing to Google (and many other sites) results in a Firefox error page "This Connection is Untrusted", with the following error info:

    "This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.​"

    The Technical details say:

    "www.google.com uses an invalid security certificate. The certificate is only valid for *.google.com (Error code: ssl_error_bad_cert_domain)"

    I've already imported the Fiddler root cert into Firefox's CA store. The problem has only started occurring with recent Firefox versions.

    Does anyone know how to resolve this?

    Thanks,

     

        --- John.

     

  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 28 Oct 2015 Link to this post

    Hello, John--

    Yes, this problem is now understood. Please switch to CertEnroll to resolve this problem and avoid problems with future browsers: http://www.telerik.com/community/forums/firefox-36-0-breaks-fiddler-https-decryption

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. John
    John avatar
    4 posts
    Member since:
    Oct 2015

    Posted 29 Oct 2015 in reply to Eric Lawrence Link to this post

    I tried following all the steps for the "Best Choice" workaround (several times), but the problem persisted. However, the ​"OK Choice" workaround (using MakeCert and disabling "Use Wildcards") seems to be working. Are there any potential problems with the "OK Choice" approach?

    Thanks,

        --- John.

  4. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 29 Oct 2015 Link to this post

    Hello, John--

    Are you sure the error page you saw in Firefox was *exactly* the same in both cases? And that you had clicked REMOVE INTERCEPTION CERTIFICATES before restarting? And that, this being Firefox, you retrusted the new CertEnroll root certificate after restarting, reenabling decryption, and exporting it?

    I use the "Best Choice" approach with Firefox 40, Firefox 41, and Firefox 44 and have not encountered any problems.

    The problem with staying on the "MakeCert" provider is that the certificates it generates will soon not work in Chrome (due to the lack of SubjectAltName) and it's expected that Firefox and other clients may follow suit.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  5. John
    John avatar
    4 posts
    Member since:
    Oct 2015

    Posted 02 Nov 2015 Link to this post

    I finally seem to have it working after following all the steps numerous times, although I'm not sure what suddenly triggered it to start working.

    In Firefox's Certificate Manager, I noticed there was a cert for "www.google.com" listed under "The USERTRUST Network" with Security Device listed as "Builtin Object Token". At some point I deleted this cert, but I've no idea whether this contributed to fixing the problem.

    When I did have the problem, Firefox showed a "Secure Connection Failed" page whenever I visited google, with the text:

    An error occurred during a connection to www.google.com. Peer's certificate has an invalid signature. (Error code: sec_error_bad_signature). The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

  6. John
    John avatar
    4 posts
    Member since:
    Oct 2015

    Posted 02 Nov 2015 in reply to John Link to this post

    I ​forgot to say that the cert for www.google.com that I deleted was listed under the category "Others" in Firefox's Certificate Manager.
  7. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 02 Nov 2015 Link to this post

    Hi, John--

    The sec_error_bad_signature message strongly suggests that the root certificate Firefox was configured to trust was not the actual root certificate that Fiddler was using. This can happen if you recreate the Fiddler root certificate, for instance. The problem arises because Firefox compares the signature on the site's certificate using the root certificate it trusts and finds that the signature doesn't match.

    http://textslashplain.com/2015/10/30/reset-fiddlers-https-certificates/ explains the procedure used to fully reset Fiddler's certificates if you need to in the future.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top