HTTPS CONNECT question

4 posts, 0 answers
  1. Tommy
    Tommy avatar
    2 posts
    Member since:
    Oct 2016

    Posted 27 Oct Link to this post

    We have a XenApp server that is unable to connect to duosecurity.com on port 443 over HTTP. I feel sure the problem has to do with a missing root or intermediate certificate on the server, and I'm using Fiddler to help troubleshoot. With Fiddler I've found that if I enable "Decrypt HTTPS traffic", IE11 connects to the site fine as expected. If I disable that feature, the IE11 will not make the connection and fails with "Certificate was blocked because it was not signed by a valid security certificate".

    I'm attempting to compare the raw session information from a failed connection with that of a successful connection, but still having trouble getting to the source of the problem. Any help is greatly appreciated.

    FAILURE:

    =======

    HTTP/1.0 200 Connection Established
    FiddlerGateway: Direct
    StartTime: 18:20:01.546
    Connection: close
    EndTime: 18:20:01.671
    ClientToServerBytes: 344
    ServerToClientBytes: 3489

    This is a CONNECT tunnel, through which encrypted HTTPS traffic flows.
    To view the encrypted sessions inside this tunnel, enable the Tools > Fiddler Options > HTTPS > Decrypt HTTPS traffic option.

    A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.

    Major Version:    3
    Minor Version:    3
    SessionID:    empty
    Random:        A2 8C DF ED A9 F0 05 B0 74 EF EE AF 01 77 DA BA E2 7C 17 47 94 90 EF 85 9D 82 58 17 33 F4 41 54
    Cipher:        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [0xC027]
    CompressionSuite:    NO_COMPRESSION [0x00]
    Extensions:
            server_name    empty
            renegotiation_info    00
            ec_point_formats    03 00 01 02

    SUCCESS:

    ========

    HTTP/1.0 200 Connection Established
    FiddlerGateway: Direct
    StartTime: 11:27:37.650
    Connection: close

    Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.

    Secure Protocol: Tls
    Cipher: Aes128 128bits
    Hash Algorithm: Sha1 160bits
    Key Exchange: 44550 256bits

    == Server Certificate ==========
    [Subject]
      CN=*.duosecurity.com, O="Duo Security, Inc.", L=Ann Arbor, S=Michigan, C=US

    [Issuer]
      CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

    [Serial Number]
      03CBE781655532FAE641E04B268E6A52

    [Not Before]
      10/22/2013 7:00:01 AM

    [Not After]
      1/4/2017 6:00:00 AM

    [Thumbprint]
      7D15717C4EBC7367A2E6D5A11CBEC85DAF33A9BB

  2. Tsviatko Yovtchev
    Admin
    Tsviatko Yovtchev avatar
    409 posts

    Posted 02 Nov Link to this post

    Hello,

    Does Fiddler have "Ignore server certificate errors" and "Check for certificate revocation" options checked or unchecked?

    Regards,
    Tsviatko Yovtchev
    Telerik by Progress
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. Tommy
    Tommy avatar
    2 posts
    Member since:
    Oct 2016

    Posted 02 Nov in reply to Tsviatko Yovtchev Link to this post

    I had "Ignore server certificate errors" checked and "Check for certificate revocation" unchecked. Would tweaking those options make a difference here?

    As it turned out, I used Wireshark to see the certificate key exchange happening, and found that the root CA for the issuing CA's certificate was missing from the cert store. Once I copied that in, the problem was resolved.

    I'm not sure whether Fiddler would have been able to help with that diagnosis.

  4. Tsviatko Yovtchev
    Admin
    Tsviatko Yovtchev avatar
    409 posts

    Posted 11 Nov Link to this post

    Hi,

    Well, you were able to connect through Fiddler because the Ignore Server Certificate Errors was turned on. If that was off Fiddler would have warned you about the certificate problem.

    Regards,
    Tsviatko Yovtchev
    Telerik by Progress
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top