This is a migrated thread and some comments may be shown as answers.

need help understanding !secureclientpipdirect failed

1 Answer 171 Views
FiddlerCore
This is a migrated thread and some comments may be shown as answers.
John
Top achievements
Rank 1
John asked on 16 Mar 2015, 03:16 AM

My objective is to capture and decrypt all incoming https traffic(specifically just a 2 rest api url end points) to a asp mvc website on an IIS 7.5 webserver.

steps I've completed
1. I've unbinded the website from 443 and moved it to 444.
2. I altered the fiddlercore(4.4.9.8) sample demo to just have a secure listener on port 443 and display the request headers in  a windows form application.
3. I've attached the server's real certificate using Proxy.AssignEndpointCertificate(x509Certificate2). I've confirmed the attached certificate was found by messagebox 

of the thumbprint. here is the code

oSecureEndpoint = FiddlerApplication.CreateProxyEndpoint(iSecureEndpointPort, true, sSecureEndpointHostname);
if (isCertFound) {
oSecureEndpoint.AssignEndpointCertificate(x509Certificate2);
}

4. I've written the logs to a text file and I see : 
a. /Fiddler.CertMaker> Using Fiddler.DefaultCertificateProvider+MakeCertEngine for certificate generation
and
b. !SecureClientPipeDirect failed: System.NotSupportedException The server mode SSL must use a certificate with the associated private key. on pipe to (CN=*.ourdomain.com, OU=Domain Control Validated)


things i don't get
1. how does the fiddlercore app know to send the forward requests to port 444 (of the website). How do i specify this? If I don't specify this, where does it go?
2. What is causing the !secureclientpipdirect failed from 4b above?

1 Answer, 1 is accepted

Sort by
0
Eric Lawrence
Telerik team
answered on 17 Mar 2015, 03:02 PM
You didn't share the code of how you loaded the certificate, but as the error message explains, however you did it, you did so in such a way that the private key is not associated with that certificate. You cannot decrypt HTTPS traffic with only a certificate; you also need the private key. One way to ensure that the certificate and private key are associated properly is to load the X509Certificate2 from a .PVK file that contains both.

After you've properly configured the certificates, you'd redirect inbound requests inside the BeforeRequest handler. You'd check to see if the receiving port is 443 and if so, change the port to 444; e.g.

  if (oS.oRequest.pipeClient.LocalPort == 443) {
      oS.port = 444;
  }


Regards,
Eric Lawrence
Telerik
 

Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

 
Tags
FiddlerCore
Asked by
John
Top achievements
Rank 1
Answers by
Eric Lawrence
Telerik team
Share this question
or