This is a migrated thread and some comments may be shown as answers.

hopefully simple question about presenting client certs

2 Answers 1081 Views
Mobile
This is a migrated thread and some comments may be shown as answers.
Duane
Top achievements
Rank 1
Duane asked on 18 Jun 2015, 12:09 AM

Basically, in the code for 

Fiddler's HTTPS decryption feature also offers basic support for intercepting requests that require client certificates and responding with a client certificate from the machine running Fiddler.Selection of Client CertificateIf a .CER file has been specified for a given session as follows:

oSession["https-Client-Certificate"] = "C:\\test\\someCert.cer";

...then Fiddler will simply use that certificate for the current session.

 

What goes in place of https-Client-Certificate is it the host or the URL or is it something entirely different?

I'm trying to use a client cert to get around a cert pinning issue and I want to know I'm coding it right before I admit defeat.

 

Thanks in advance,

Duane

 

2 Answers, 1 is accepted

Sort by
0
Eric Lawrence
Telerik team
answered on 18 Jun 2015, 02:47 PM
Hello, Duane--

I think there's probably some confusion here:

1. "Certificate Pinning" is a technique whereby a client verifies that the certificate coming from the server is a specific certificate (or chains to a specific root). Pinning can present problems for Fiddler's HTTPS interception because the pinning checks will usually fail when they find Fiddler's interception certificates.

2. Client Certificates are certificates that the client sends to the server to identify itself. Use of client certificates requires extra work in Fiddler because you need to tell Fiddler which certificate to send to the server. Fiddler can send a client certificate to the server by specifying the local filename of that certificate in the https-Client-Certificate Session flag.

Now, I'm guessing that maybe you're in a different scenario: Maybe you're saying: "I have the server's certificate and private key, and I would like to use Fiddler to use that so that the client's certificate pinning check does not fail." If that's the case, you can use the StoreCert method: please see this example.

Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
Duane
Top achievements
Rank 1
answered on 18 Jun 2015, 03:38 PM
you are spot on. Thanks for the help.
Tags
Mobile
Asked by
Duane
Top achievements
Rank 1
Answers by
Eric Lawrence
Telerik team
Duane
Top achievements
Rank 1
Share this question
or