hi
It seems that Fiddler generates on-the-fly certificates (when intercepting HTTPS traffic) but only sets the 'serverAuth' value for the ExtendedKeyUse attribute.
I am having some troubles getting the cert to be accepted by a Java App that is connecting to a backend system and I am using Fiddler to debug the HTPPS traffic. My java app complains :
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###http-bio-8083-exec-5, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication |
If I look at SSL debug generated in my app I see this:
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###*** Certificate chain |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###chain [0] = [ |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###[ |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Version: V3 |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Subject: CN=<target server>, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Key: Sun RSA public key, 1024 bits |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### modulus: ...
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### public exponent: 65537 |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Validity: [From: Wed Feb 26 00:00:00 UTC 2014, |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### To: Tue Feb 25 23:59:59 UTC 2025] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Issuer: CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### SerialNumber: [ -6c9fcd89 21ec5b61 b6673282 907882a4] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###Certificate Extensions: 3 |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###[1]: ObjectId: 2.5.29.1 Criticality=false |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###Extension unknown: DER encoded OCTET string = |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###0000: 04 81 B8 30 81 B5 80 10 39 6D 9F 06 75 DA BB F7 ...0....9m..u... |
...
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###[2]: ObjectId: 2.5.29.19 Criticality=true |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###BasicConstraints:[ |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### CA:false |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### PathLen: undefined |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###[3]: ObjectId: 2.5.29.37 Criticality=false |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###ExtendedKeyUsages [ |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### serverAuth |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Algorithm: [SHA256withRSA] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Signature: |
...
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###*** |
Then the app complains:
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###http-bio-8083-exec-5, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication |
Is it possible to get the ClientAuth extended use attribute set also?
-chris
It seems that Fiddler generates on-the-fly certificates (when intercepting HTTPS traffic) but only sets the 'serverAuth' value for the ExtendedKeyUse attribute.
I am having some troubles getting the cert to be accepted by a Java App that is connecting to a backend system and I am using Fiddler to debug the HTPPS traffic. My java app complains :
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###http-bio-8083-exec-5, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication |
If I look at SSL debug generated in my app I see this:
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###*** Certificate chain |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###chain [0] = [ |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###[ |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Version: V3 |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Subject: CN=<target server>, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Key: Sun RSA public key, 1024 bits |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### modulus: ...
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### public exponent: 65537 |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Validity: [From: Wed Feb 26 00:00:00 UTC 2014, |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### To: Tue Feb 25 23:59:59 UTC 2025] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Issuer: CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### SerialNumber: [ -6c9fcd89 21ec5b61 b6673282 907882a4] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###Certificate Extensions: 3 |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###[1]: ObjectId: 2.5.29.1 Criticality=false |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###Extension unknown: DER encoded OCTET string = |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###0000: 04 81 B8 30 81 B5 80 10 39 6D 9F 06 75 DA BB F7 ...0....9m..u... |
...
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###[2]: ObjectId: 2.5.29.19 Criticality=true |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###BasicConstraints:[ |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### CA:false |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### PathLen: undefined |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###[3]: ObjectId: 2.5.29.37 Criticality=false |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###ExtendedKeyUsages [ |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### serverAuth |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Algorithm: [SHA256withRSA] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### Signature: |
...
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5### |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###] |
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###*** |
Then the app complains:
2015 03 03 11:50:07#+00#INFO#System.out##anonymous#http-bio-8083-exec-5###http-bio-8083-exec-5, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication |
Is it possible to get the ClientAuth extended use attribute set also?
-chris