ServicePointManager.CheckCertificateRevocationList = true with fiddler https decryption causes failures

1 Answer 584 Views
Fiddler Classic FiddlerCore
Chris
Top achievements
Rank 1
Chris asked on 07 Oct 2022, 09:03 PM

Within a .net application when the CheckCertificateRevocationList is set SSL connections can no longer be made while fiddler is running.

An example:

ServicePointManager.CheckCertificateRevocationList = true;

WebRequest request = WebRequest.Create("https://www.google.com");

var response = await request.GetResponseAsync();

This fails with

The remote certificate is invalid according to the validation procedure.

 

If I register a validation callback (ServicePointManager.ServerCertificateValidationCallback) too  see what is going on I see

SSLPolicyErrors = RemoteCertificateChainErrors

When looking at the X509Chain I see "The revocation function was unable to check revocation for the certificate.\r\n"

Some other threads on stack overflow indicated this may be due to no revocation list being attached to the fiddler root certificates.

So I was wondering if anyone was able to get fiddler to work with the CheckCertificateRevocationList= true.  I know I can disable it but that would not be good for security. I also could in the handler allow fiddler certificates, but I was hoping there was a way to generate the fiddler certificates in a way that worked with that setting.

 

1 Answer, 1 is accepted

Sort by
0
Nick Iliev
Telerik team
answered on 12 Oct 2022, 06:20 AM

Hello Chris,

Check this GitHub thread where possible solutions are discussed. The mentioned CerMaker add-on can be downloaded from here.

Regards,
Nick Iliev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Tags
Fiddler Classic FiddlerCore
Asked by
Chris
Top achievements
Rank 1
Answers by
Nick Iliev
Telerik team
Share this question
or