This is a migrated thread and some comments may be shown as answers.

Fiddler and 3rd Party Certificates.

6 Answers 74 Views
Fiddler Classic
This is a migrated thread and some comments may be shown as answers.
Juan
Top achievements
Rank 1
Juan asked on 21 Apr 2014, 10:53 PM
Hello Forum,
I work for a company called ePay and I was wondering if someone could assist me with a certificate issue.
Our company uses a Digital Certificate with our customers and it seems we might be having some compatibility issues with Fiddler.
My question is the following:
Since we have a certificate installed and imported into the browser (e.g. IE10) and then Fiddler adds a Do_Not_Trust_FiddlerRoot Certificate which causes the compatibility issues. I read that a fix would be to move the certificate from the personal folder to the "Trusted Certificates" folder, but I want to confirm this would be the ideal fix and that I wouldn't disrupt or disconfigure any settings in Fiddler.
And my second question is;
What type of problems could we expect if the Do_Not_Trust_FiddlerRoot is left on the personal folder? (problems with OUR certificate)
And my last question is:
Would any configuration be lost if they DELETED the Do_Not_Trust_FiddlerRoot certificate?

Thanks for the help.

Juan Posada
ePay Customer Service Trainer

6 Answers, 1 is accepted

Sort by
0
Eric Lawrence
Telerik team
answered on 22 Apr 2014, 03:21 PM
Hi, Juan--

You'll need to be more specific about what exactly it is that you're trying to accomplish and what "compatibility issues" you are encountering.

What sort of certificate have you "installed" and what exactly is the problem you're having?

Thanks,
Eric Lawrence
Telerik
 

Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

 
0
Juan
Top achievements
Rank 1
answered on 22 Apr 2014, 04:21 PM
Hi Eric,

Sorry I'll try to be more specific.
My company uses a Digital Certificate to authenticate users on a website. In order for them to access the website they must "install" the certificate or else they get an error "403.7 Forbidden".
When one of our customers has fiddler installed. under internet options > content > Certificates, there are a lot of certificates created with root: Do_Not_Trust_FiddlerRoot for a bunch of different websites and it makes one that matches our certificate.
When this happens and they try to access our website they are getting the error "403.7 Forbidden" and they are unable to authenticate themselves. 
Now I believe that they have installed fiddler on their computers for a reason but they also need to be able to access our website.
So my question is:
What would be the best way to avoid Fiddler from blocking our Digital Certificate and preventing the user authentication on our website?


We have had some people delete the certificate and then it works but I'm not sure if Fiddler will just create a new copy or if it could change some configuration.
I read that we could move the certificate from the personal file to the trusted certificates file but never actually tested it.

If you need more information, what do you need?
0
Juan
Top achievements
Rank 1
answered on 22 Apr 2014, 05:15 PM
This is a screenshot where you can see the DC list of a user and you'll see that there are 2 for webpos (my company's website). 
0
Eric Lawrence
Telerik team
answered on 23 Apr 2014, 07:29 PM
Hello, Juan--

What you're describing is that the client is required to present a ClientCertificate when authenticating to your website. When running Fiddler, Fiddler will not automatically challenge the client to provide a certificate and as a consequence the login will fail while Fiddler is running. Manual configuration of Fiddler is required to allow Fiddler to present a client certificate on the user's behalf; this process is described here: http://fiddlerbook.com/Fiddler/help/httpsclientcerts.asp

Now, it sounds like you might be saying that users are having problems logging in even when Fiddler is not running. That would not make very much sense, as the certificates that Fiddler uses do NOT contain the ClientAuthentication key usage flag and thus their presence should have absolutely no impact whatsoever on the client when Fiddler is not running.

Fiddler's certificates can be automatically cleaned up ever time Fiddler exits; see https://groups.google.com/forum/#!topic/httpfiddler/Yg4G7SWl3bo

thanks for the extra info,
Eric Lawrence
Telerik
 

Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

 
0
Juan
Top achievements
Rank 1
answered on 23 Apr 2014, 08:53 PM
Hello Eric,
Thanks for the update.
This is great information, I'll make sure to pass it around to our Fiddler using customers.
Just one more question if you don't mind: what would happen to the Fiddler users that have had their certificate erased?
Meaning:
If one of our agents removes/deletes the webpos.epayworldwide fiddler certificate. Would that be harmful to your software in any way?
If one of our agents already did it, does the user need to do anything extra to avoid a software misconfiguration?
Thanks for your replies!!

Blessings,
John
0
Eric Lawrence
Telerik team
answered on 24 Apr 2014, 03:45 PM
Hello,

Deleting the "webpos.epayworldwide.com" certificate won't do anything harmful (and that's what the CleanupServerCertsOnExit preference does); Fiddler will recreate that certificate if and when needed.

If the user were to delete the DO_NOT_TRUST root certificate, that would be bad.

Regards,
Eric Lawrence
Telerik
 

Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

 
Tags
Fiddler Classic
Asked by
Juan
Top achievements
Rank 1
Answers by
Eric Lawrence
Telerik team
Juan
Top achievements
Rank 1
Share this question
or