need help understanding !secureclientpipdirect failed

2 posts, 0 answers
  1. John
    John avatar
    12 posts
    Member since:
    Dec 2012

    Posted 15 Mar 2015 Link to this post

    My objective is to capture and decrypt all incoming https traffic(specifically just a 2 rest api url end points) to a asp mvc website on an IIS 7.5 webserver.

    steps I've completed
    1. I've unbinded the website from 443 and moved it to 444.
    2. I altered the fiddlercore( sample demo to just have a secure listener on port 443 and display the request headers in  a windows form application.
    3. I've attached the server's real certificate using Proxy.AssignEndpointCertificate(x509Certificate2). I've confirmed the attached certificate was found by messagebox 

    of the thumbprint. here is the code

    oSecureEndpoint = FiddlerApplication.CreateProxyEndpoint(iSecureEndpointPort, true, sSecureEndpointHostname);
    if (isCertFound) {

    4. I've written the logs to a text file and I see : 
    a. /Fiddler.CertMaker> Using Fiddler.DefaultCertificateProvider+MakeCertEngine for certificate generation
    b. !SecureClientPipeDirect failed: System.NotSupportedException The server mode SSL must use a certificate with the associated private key. on pipe to (CN=*, OU=Domain Control Validated)

    things i don't get
    1. how does the fiddlercore app know to send the forward requests to port 444 (of the website). How do i specify this? If I don't specify this, where does it go?
    2. What is causing the !secureclientpipdirect failed from 4b above?

  2. Eric Lawrence
    Eric Lawrence avatar
    833 posts

    Posted 17 Mar 2015 Link to this post

    You didn't share the code of how you loaded the certificate, but as the error message explains, however you did it, you did so in such a way that the private key is not associated with that certificate. You cannot decrypt HTTPS traffic with only a certificate; you also need the private key. One way to ensure that the certificate and private key are associated properly is to load the X509Certificate2 from a .PVK file that contains both.

    After you've properly configured the certificates, you'd redirect inbound requests inside the BeforeRequest handler. You'd check to see if the receiving port is 443 and if so, change the port to 444; e.g.

      if (oS.oRequest.pipeClient.LocalPort == 443) {
          oS.port = 444;

    Eric Lawrence

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

Back to Top