Hello,
I've been using FiddlerCore on Windows for some time now and it's been great. However some of my users have recently started to report
issues where the proxy fails to connect to anything. I've checked the logs and every time this user happens is because of BCCertMaker.
This is what's shown in the log:
Fiddler.BCCertMaker> Failed to create certificate for localhost: Key not valid for use in specified state. at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at BCCertMaker.BCCertMaker.ConvertBCPrivateKeyToDotNet(RsaPrivateCrtKeyParameters bcPVK, String sKeyName) at BCCertMaker.BCCertMaker.CreateCertificateFromCA(String sCN, X509Certificate caCert, AsymmetricKeyParameter caKey) at BCCertMaker.BCCertMaker.MakeNewCert(String sHostname)
I've done research on this error and it's not clear what it's cause is but I've found that it can be solved by deleting
the "Crypto" folder in %AppData%\Microsoft\. This is clearly not ideal and would appreciate if someone had an idea on how to work
around this issue in the future.
Thanks.
5 Answers, 1 is accepted
Rank 1
I understand this issue is hard to debug without further information, so I've been investigating it further and a StackOverflow answer was brought to my attention that explains this issue really well as well as a way to reproduce it. https://stackoverflow.com/a/4294877
This seems to be a bug affecting both CertMaker.exe and the CertMaker.dll/BCMakeCert.dll combo.
This can be reproduced with any FiddlerCore application that wants to decrypt HTTPS traffic, such as the sample app that ships with the API package.
1. Create a test Windows account with a password (doesn't matter what it is).
2. Log into the test account and run the sample application. Verify that HTTPS traffic is decrypted correctly.
3. Log off and switch over to the Administrator account.
4. Remove the password from the test account.
5. Log off once more and switch over to the test account, run the sample application again.
The application should no longer be able to decrypt HTTPS traffic and might become unstable.
If you check FiddlerCore's log, the error should be "Key not valid for use in specified state.":
https://i.imgur.com/Idbdve3.png
No notification is currently provided to developers or any kind of solution to handle this outcome, such a scenario should be handled gracefully. The StackOverflow answer above proposes a couple solutions to this problem, such as removing the obsolete key container file.
Look forward to hearing back from you.
Rank 1
Rank 1
For the time being, we've opted for a workaround that attempts to access the key container before starting the proxy and deletes the corrupted file if a CryptographicException is thrown.
https://github.com/FailedShack/USBHelperLauncher/commit/33d2f825e447d416b678415581fbd8bc03175182
Rank 1
Any thoughts on this? I had hoped to get some kind of response.
It would be helpful to have a proper way of handling this case. Let me know if you need any other information.
Sorry for the late reply and thank you for bringing this issue to our attention.
It seems that renaming/deleting the encrypted key container file with the old user password and generating a new one with the new password is the only sensible solution to the problem.
I am adding this issue in our backlog to think about how to avoid this problem or how to handle it gracefully.
Regards,
Simeon
Progress Telerik