HTTPS CONNECT question

1 Answer 4909 Views
Fiddler Classic
Tommy
Top achievements
Rank 1
Tommy asked on 27 Oct 2016, 11:40 PM

We have a XenApp server that is unable to connect to duosecurity.com on port 443 over HTTP. I feel sure the problem has to do with a missing root or intermediate certificate on the server, and I'm using Fiddler to help troubleshoot. With Fiddler I've found that if I enable "Decrypt HTTPS traffic", IE11 connects to the site fine as expected. If I disable that feature, the IE11 will not make the connection and fails with "Certificate was blocked because it was not signed by a valid security certificate".

I'm attempting to compare the raw session information from a failed connection with that of a successful connection, but still having trouble getting to the source of the problem. Any help is greatly appreciated.

FAILURE:

=======

HTTP/1.0 200 Connection Established
FiddlerGateway: Direct
StartTime: 18:20:01.546
Connection: close
EndTime: 18:20:01.671
ClientToServerBytes: 344
ServerToClientBytes: 3489

This is a CONNECT tunnel, through which encrypted HTTPS traffic flows.
To view the encrypted sessions inside this tunnel, enable the Tools > Fiddler Options > HTTPS > Decrypt HTTPS traffic option.

A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.

Major Version:    3
Minor Version:    3
SessionID:    empty
Random:        A2 8C DF ED A9 F0 05 B0 74 EF EE AF 01 77 DA BA E2 7C 17 47 94 90 EF 85 9D 82 58 17 33 F4 41 54
Cipher:        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [0xC027]
CompressionSuite:    NO_COMPRESSION [0x00]
Extensions:
        server_name    empty
        renegotiation_info    00
        ec_point_formats    03 00 01 02

SUCCESS:

========

HTTP/1.0 200 Connection Established
FiddlerGateway: Direct
StartTime: 11:27:37.650
Connection: close

Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.

Secure Protocol: Tls
Cipher: Aes128 128bits
Hash Algorithm: Sha1 160bits
Key Exchange: 44550 256bits

== Server Certificate ==========
[Subject]
  CN=*.duosecurity.com, O="Duo Security, Inc.", L=Ann Arbor, S=Michigan, C=US

[Issuer]
  CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

[Serial Number]
  03CBE781655532FAE641E04B268E6A52

[Not Before]
  10/22/2013 7:00:01 AM

[Not After]
  1/4/2017 6:00:00 AM

[Thumbprint]
  7D15717C4EBC7367A2E6D5A11CBEC85DAF33A9BB

1 Answer, 1 is accepted

Sort by
0
Tsviatko Yovtchev
Telerik team
answered on 02 Nov 2016, 06:25 PM
Hello,

Does Fiddler have "Ignore server certificate errors" and "Check for certificate revocation" options checked or unchecked?

Regards,
Tsviatko Yovtchev
Telerik by Progress
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Tommy
Top achievements
Rank 1
commented on 02 Nov 2016, 07:14 PM

I had "Ignore server certificate errors" checked and "Check for certificate revocation" unchecked. Would tweaking those options make a difference here?

As it turned out, I used Wireshark to see the certificate key exchange happening, and found that the root CA for the issuing CA's certificate was missing from the cert store. Once I copied that in, the problem was resolved.

I'm not sure whether Fiddler would have been able to help with that diagnosis.

Tsviatko Yovtchev
Telerik team
commented on 11 Nov 2016, 04:37 PM

Hi,

Well, you were able to connect through Fiddler because the Ignore Server Certificate Errors was turned on. If that was off Fiddler would have warned you about the certificate problem.

Regards,
Tsviatko Yovtchev
Telerik by Progress
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Tags
Fiddler Classic
Asked by
Tommy
Top achievements
Rank 1
Answers by
Tsviatko Yovtchev
Telerik team
Share this question
or