what is the cause of "invalid signature" response?

4 posts, 0 answers
  1. John
    John avatar
    12 posts
    Member since:
    Dec 2012

    Posted 17 Jul 2015 Link to this post

    I have a reverse proxy configured

     

    [client machine sending rest api requests] <--https--> [[fiddler listening on port:443] <-->  [web server]]

     

    I'm trying to capture and modify web api requests that are sent by the client machine to an https web server(sqa2.ourdomain.com).  This machine can't be configured to go through a proxy which is why I need the reverse proxy solution.  I configured fiddler on the server :

     1. as documented else where, after rebding the website to port 444, I've put the following in the onbeforerequest handler

            if (oSession.HostnameIs("sqa2.ourdomain.com") &&
                    (oSession.oRequest.pipeClient.LocalPort == 443)) 
            {
                
                oSession.host = "sqa2.ourdomain.com:444";
            }

     2. I've run !listen 443 sqa2.ourdomain.com

    I've been able to successfully capture the outgoing http api request and response, but the response gives

    {
      "Status": {
        "code": "770",
        "message": "Authorization error - Invalid signature"
      }
    }

    What is causing this response? 

     

  2. John
    John avatar
    12 posts
    Member since:
    Dec 2012

    Posted 17 Jul 2015 in reply to John Link to this post

    3. I've also installed the exported fiddler root certificate on the client's machine local computer certificate root authority store.
  3. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 17 Jul 2015 Link to this post

    It's hard to tell without more context (e.g. a SAZ capture of the traffic) but what you've describe suggests that the request over HTTPS is decrypted properly but the server itself isn't happy with the request in some way. You may need to look into the code on the server that generates that response to see what signature it is referring to.

    Just to confirm though-- this server doesn't require a client certificate, does it?

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  4. John
    John avatar
    12 posts
    Member since:
    Dec 2012

    Posted 17 Jul 2015 in reply to Eric Lawrence Link to this post

    Thanks for the reply. Yes, it is because in the outgoing URL,  the authorization signature is sent. This is generated from the url service end point and data payload. So, for I'll have to speak with the developers to turn this off or some how reconstruct the correct signature before sending it out.
Back to Top