Unable to decrypt HTTPS traffic Windows7/IE11

[John Liptak]

When I attempt to decrypt HTTPS traffic, IE displays a connection error and the session in Fiddler is:

CONNECT accounts.google.com:443 HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: accounts.google.com:443

and what I get in the reply is

HTTP/1.0 200 Connection Established
FiddlerGateway: Direct
StartTime: 12:01:46.047
Connection: close

fiddler.network.https> Failed to secure existing connection for accounts.google.com. Cannot find the requested object.

I have ignore server certificate errors checked and I've accepted the generated certificate.

Ideas?

[EricLaw]

This is a bug somewhere in the .NET Certificate class (e.g. http://stackoverflow.com/questions/20044709/cannot-find-the-requested-object-when-using-x509certifcate-cass-in-windows-phone)

Your first step should be to disable HTTPS decryption and choose "Remove Interception Certificates." Delete all certificates and untrust from the store.

Next, re-enable HTTPS decryption, allow the root to be recreated and retrusted. Then see if the problem goes away.

If not, try installing the Fiddler Certificate Generator plugin and restart.

[John Liptak]

I had tried removing and re-installing the root, so I moved on to the plugin.

If I change the settings and don't restart I get the following in the logs (kinda expected):

16:51:44:7703 fiddler.network.https> Failed to secure existing connection for accounts.google.com. Cannot find the requested object.

.

16:51:44:8553 fiddler.network.https> Failed to secure existing connection for groups.google.com. Cannot find the requested object.

.

16:51:57:5280 fiddler.network.https> Failed to secure existing connection for groups.google.com. Cannot find the requested object.

.

but I get the same error on restart:

16:56:15:6382 Fiddler Running...

16:56:19:8983 Fiddler ICertificateProvider v1.4.4.0 loaded.

fiddler.certmaker.bc.Debug: False

16:56:20:7108 fiddler.network.https> Failed to secure existing connection for talkgadget.google.com. Cannot find the requested object.

.

.

16:56:27:8185 fiddler.network.https> Failed to secure existing connection for accounts.google.com. Cannot find the requested object.

.

[EricLaw]

Use the QuickExec box:

  prefs set fiddler.certmaker.bc.Debug True

Restart Fiddler and do you see anything more in the Log tab?

The error message in question looks likely to be a bug in the Windows/.NET private key management for the certificates generated by Fiddler. It's possible that this was a regression in one of the recent .NET or WindowsUpdates, but I'm running the latest and haven't encountered any such problems.

thanks! 

[Andy Rowse]

+1. I started experiencing the same thing after I upgraded to the .NET4 build. Everything was working fine before that. I've followed all of the suggested steps and nothing works.

I run Win 8.1

I do get a slightly different error from the handshake:

HTTP/1.0 200 Connection Established
FiddlerGateway: Direct

StartTime: 14:37:29.248
Connection: close
fiddler.network.https> Failed to secure existing connection for www.google.com. The specified network password is not correct.

[EricLaw]

Which build did you have previously? Which "suggested steps" specifically did you follow? Are you an Administrator on the machine in question? If so, are you running elevated? Do you have .NET4.5.1 installed or only .NET4.5? Are you missing any updates at all offered by WindowsUpdate? Do you have any security or certificate management software installed (especially anything from Entrust or related to a SmartCard)? What log information do you see in the Log tab after enabling fiddler.certmaker.bc.Debug ?

The error message: "The specified network password is not correct." is another instance of the Windows cryptography APIs failing to get access to one of the private keys matching a certificate used by Fiddler.

[Andy Rowse]

I am an administrator for my machine. Also, I don’t have any custom rules.

Previous Build: unknown
Current: v4.4.6.2

Steps: The ones suggested in this tread (regenerate cert, try cert generator plugin, run as administrator). Also tried uninstalling and reinstalling (both .NET2 version and .NET4) version and has problems in both.
Window Version: 8.1
.NET Version: 4.5.1
Windows Update: Just installed all latest and retried all troubleshooting steps. Still no HTTPS
Cert Mang. Software: No Security or Cert Management software that I know of.

Log Info:

16:56:10:6289 Fiddler Running... 

16:56:10:6289 Windows 8+ AppContainer isolation feature detected. 

16:56:13:4350 Fiddler ICertificateProvider v1.4.4.0 loaded.

fiddler.certmaker.bc.Debug: True 

16:56:13:4350 Using BCMakeCert.dll v2.0.3.0 

16:56:13:4350 Fiddler.BCCertMaker> Asked to MakeNewCert(www.google.com) from thread 16... 

16:56:13:4350 Proceeding to generate (www.google.com) on thread 16. 

16:56:13:5909 Fiddler.BCCertMaker> Loaded root certificate and key from Preference. SubjectDN:OU=Created by http://www.fiddler2.com,O=DO_NOT_TRUST_BC,CN=DO_NOT_TRUST_FiddlerRoot 

16:56:13:6065 Fiddler.BCCertMaker> CreatingCert for: www.google.com 

16:56:13:9962 Fiddler.BCCertMaker> PrivateKey Generation took: 397ms. 

16:56:14:1054 Fiddler.BCCertMaker> EECert Generation took: 510ms in total. 

16:56:14:1209 Fiddler.BCCertMaker> Converting BCKey to DotNetKey using CSP Provider type: 24 

16:56:14:1365 ContainerInfo for www.google.com's Certificate's PrivateKey

KCName:FiddlerBCKey

Exportable:True

IsMachine:False

Protected:False

Removable:False

Provider:Microsoft Enhanced RSA and AES Cryptographic Provider (24)

UniqueName:6126ce6d65fe3c035ce2d7d51f5a45f2_98c429b1-0812-4e17-bf23-666bc432c262

RandomlyGenerated:False

 

16:56:14:1365 Fiddler.BCCertMaker> BC-to-.NET Conversion took: 28ms. 

16:56:14:1365 Fiddler.BCCertMaker> Caching EECert for www.google.com 

16:56:14:1365 /Signaling [www.google.com] is ready, created by thread 16. 

16:56:14:1521 fiddler.network.https> Failed to secure existing connection for www.google.com. The specified network password is not correct.

[EricLaw]

One approach that would confirm that the problem is related to SChannel would be to

   prefs set fiddler.certmaker.bc.DoDummyEncrypt true

...and then look at the change in text on the Log tab.

To resolve the problem, the only other approach I can think of is documented at the end of this page: http://fiddler.wikidot.com/certfix

[John Liptak]

09:02:04:1149 Fiddler ICertificateProvider v1.4.4.0 loaded.

fiddler.certmaker.bc.Debug: True

09:02:04:1319 Using BCMakeCert.dll v2.0.3.0

09:02:04:1329 Fiddler.BCCertMaker> Asked to MakeNewCert(www.google.com) from thread 13...

09:02:04:1339 Proceeding to generate (www.google.com) on thread 13.

09:02:04:2479 Fiddler.BCCertMaker> Loaded root certificate and key from Preference. SubjectDN:OU=Created by http://www.fiddler2.com,O=DO_NOT_TRUST_BC,CN=DO_NOT_TRUST_FiddlerRoot

09:02:04:2559 Fiddler.BCCertMaker> CreatingCert for: www.google.com

09:02:04:3989 Fiddler.BCCertMaker> PrivateKey Generation took: 142ms.

09:02:04:4969 Fiddler.BCCertMaker> EECert Generation took: 241ms in total.

09:02:04:5029 Fiddler.BCCertMaker> Converting BCKey to DotNetKey using CSP Provider type: 24

09:02:05:0139 ContainerInfo for www.google.com's Certificate's PrivateKey

KCName:FiddlerBCKey

Exportable:True

IsMachine:False

Protected:False

Removable:False

Provider:Microsoft Enhanced RSA and AES Cryptographic Provider (24)

UniqueName:6126ce6d65fe3c035ce2d7d51f5a45f2_2c03661c-b88b-43f7-96fc-c1c2ebfbd6ce

RandomlyGenerated:False

09:02:05:0139 Fiddler.BCCertMaker> BC-to-.NET Conversion took: 516ms.

09:02:05:0179 Fiddler.BCCertMaker> Caching EECert for www.google.com

09:02:05:0209 /Signaling [www.google.com] is ready, created by thread 13.

09:02:05:0499 fiddler.network.https> Failed to secure existing connection for www.google.com. Cannot find the requested object.

.

so no real change :-(

[John Liptak]

I have 4.5.1 and the updates are controlled by "desktop operations" so I have no idea if any are missing.

My vanilla fully patched machine at home does not have this problem, so the difference could be:

• different patches
• running in a domain
• some security policy

[EricLaw]

Hrm. The text here suggests that prefs set fiddler.certmaker.bc.DoDummyEncrypt isn't set to true ?

http://blogs.technet.com/b/pki/archive/2009/06/17/what-is-a-strong-key-protection-in-windows.aspx

There's a Group Policy called “System Cryptography: Force strong key protection for user keys stored on the computer” -- can you look if it's set inside gpedit.msc under Local Policies\Security Options.

[John Liptak]

I emailed a reply with a complete log file, but just to keep the conversation documented for anyone else reading, the System Cryptography: Force strong key protection for user keys stored on the computer is not configured and I get the same error regardless of the debug preference setting.

[John Liptak]

With a lot of help from Eric, we determined that the file

C:\Users\<userid>\Documents\Fiddler2\ClientCertificate.cer

was causing the problem.  After renaming it, I was able to decrypt HTTPS pages again.

[EricLaw]

Thanks for your help, John!

The logs you provided helped find the root cause of this problem as well as explain why it appeared "suddenly" with a newer version.

It turns out that the problem here wasn't a missing private key of the server certificate but rather the missing private key of the client certificate. The error message was confusing because the client certificate is loaded much earlier, but isn't actually used until the HTTPS handshake itself actually takes place. The same problem would occur in all versions of Fiddler, but in more recent versions of Fiddler, it would occur on every HTTPS connection, not just those that explicitly request a client certificate. (The change in Fiddler was to account for a bug in .NET).

I'll see what I can do about recovering gracefully from this error in the next beta of Fiddler and/or at least providing a meaningful error message.

thanks again!

[Andy Rowse]

That solution worked for me too!!! HTTPS is back!

I feel whole again.

Thanks,

AR

[dan.l...@kinnective.com]

FireFox uses its own certificate manager rather than Microsoft's.  Ouch.  You have to import the Fiddler certificate into FireFox!

[EricLaw]

Yes, see http://blogs.telerik.com/fiddler/posts/13-04-01/configuring-firefox-for-fiddler

[Scott Loveland]

Almost 3 years later this post is still relevant and saved me from throwing my laptop in the ocean. I owe someone a beer! Thanks!

[rhsi...@gmail.com]

Previous Build: v.4.2.6.1
Current Build: v2.4.9.6

Window Version: 7

Cert Mang. Software: Entrust (company network)

Issue:  HTTPS decryption was previously working but stopped after either switching between the 2 builds or accidentally deleting some certificates in certmgr.msc.

Steps: 

• The ones suggested in this tread (regenerate cert, try cert generator plugin, http://fiddler.wikidot.com/certfix): Logs using CertMaker and default KeyProvider
• I also tried prefs set fiddler.certmaker.bc.useMachineKeyStore True and prefs remove fiddler.certmaker.bc.keyprovidertype 12 as mentioned in this thread: https://groups.google.com/forum/#!topic/httpfiddler/OTRJs757oY0
• prefs remove fiddler.certmaker.bc.keyprovidertype 12 had no effect, but prefs remove fiddler.certmaker.bc.keyprovidertype 11 did: Logs using CertMaker and KeyProvider 11
  
• Unfortunately the file C:\Users\<userid>\Documents\Fiddler2\ClientCertificate.cer does not exist for me, so the fix does not lie there

I'm going crazy trying to resolve this problem for the last week and would greatly appreciate any help you could provide!

[Eric Lawrence]

What specifically happens? What do you see in your browser, and what do you see in Fiddler's LOG tab?

[rhsi...@gmail.com]

i am actually connecting through my iphone (ios 10.3)  and i see the following in my fiddler's log tab:

-= Fiddler Event Log =-

15:18:54:1581 Fiddler.BCCertMaker> Asked to MakeNewCert(hk.pay.wechat.com) from thread 93...

15:18:54:1651 Proceeding to generate (hk.pay.wechat.com) on thread 93.

15:18:54:1661 Fiddler.BCCertMaker> CreatingCert for: hk.pay.wechat.com

15:18:54:1771 Fiddler.BCCertMaker> PrivateKey Generation took: 11ms.

15:18:54:1871 Fiddler.BCCertMaker> EECert Generation took: 21ms in total.

15:18:54:1881 Fiddler.BCCertMaker> Converting BCKey to DotNetKey using CSP Provider type: 24

15:18:54:4181 ContainerInfo for hk.pay.wechat.com's Certificate's PrivateKey

KCName:FiddlerBCKey

Exportable:True

IsMachine:True

Protected:False

Removable:False

Provider: (24)

UniqueName:6126ce6d65fe3c035ce2d7d51f5a45f2_56f8c967-42a8-4600-88a7-44c7e2cb2cef

RandomlyGenerated:False

15:18:54:4191 Fiddler.BCCertMaker> BC-to-.NET Conversion took: 230ms.

15:18:54:4191 Fiddler.BCCertMaker> Caching EECert for hk.pay.wechat.com

15:18:54:4191 /Signaling [hk.pay.wechat.com] is ready, created by thread 93.

15:18:54:5420 !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException 调用 SSPI 失败，请参见内部异常。 < 处理证书时，出现了一个未知错误。 on pipe to (CN=hk.pay.wechat.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com).

15:18:54:5810 !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException 调用 SSPI 失败，请参见内部异常。 < 处理证书时，出现了一个未知错误。 on pipe to (CN=hk.pay.wechat.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com).

15:18:54:6270 !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException 调用 SSPI 失败，请参见内部异常。 < 处理证书时，出现了一个未知错误。 on pipe to (CN=hk.pay.wechat.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com).

15:18:54:6830 !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException 调用 SSPI 失败，请参见内部异常。 < 处理证书时，出现了一个未知错误。 on pipe to (CN=hk.pay.wechat.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com).

15:20:32:7398 Fiddler.BCCertMaker> Asked to MakeNewCert(sb-ssl.google.com) from thread 47...

15:20:32:7408 Proceeding to generate (sb-ssl.google.com) on thread 47.

15:20:32:7408 Fiddler.BCCertMaker> CreatingCert for: sb-ssl.google.com

15:20:32:7408 Fiddler.BCCertMaker> PrivateKey Generation took: 0ms.

15:20:32:7508 Fiddler.BCCertMaker> EECert Generation took: 10ms in total.

15:20:32:7508 Fiddler.BCCertMaker> Converting BCKey to DotNetKey using CSP Provider type: 24

15:20:32:7758 ContainerInfo for sb-ssl.google.com's Certificate's PrivateKey

KCName:FiddlerBCKey

Exportable:True

IsMachine:True

Protected:False

Removable:False

Provider: (24)

UniqueName:6126ce6d65fe3c035ce2d7d51f5a45f2_56f8c967-42a8-4600-88a7-44c7e2cb2cef

RandomlyGenerated:False

15:20:32:7878 Fiddler.BCCertMaker> BC-to-.NET Conversion took: 37ms.

15:20:32:7908 Fiddler.BCCertMaker> Caching EECert for sb-ssl.google.com

15:20:32:7918 /Signaling [sb-ssl.google.com] is ready, created by thread 47.

15:20:33:0288 [Fiddler] No HTTPS request was received from (chrome:9064) new client socket, port 49958.

15:21:51:4908 Fiddler.BCCertMaker> Asked to MakeNewCert(p29-ckdatabase.icloud.com) from thread 79...

15:21:51:4948 Proceeding to generate (p29-ckdatabase.icloud.com) on thread 79.

15:21:51:5008 Fiddler.BCCertMaker> CreatingCert for: p29-ckdatabase.icloud.com

15:21:51:5008 Fiddler.BCCertMaker> PrivateKey Generation took: 0ms.

15:21:51:5118 Fiddler.BCCertMaker> EECert Generation took: 10ms in total.

15:21:51:5118 Fiddler.BCCertMaker> Converting BCKey to DotNetKey using CSP Provider type: 24

15:21:51:5378 ContainerInfo for p29-ckdatabase.icloud.com's Certificate's PrivateKey

KCName:FiddlerBCKey

Exportable:True

IsMachine:True

Protected:False

Removable:False

Provider: (24)

UniqueName:6126ce6d65fe3c035ce2d7d51f5a45f2_56f8c967-42a8-4600-88a7-44c7e2cb2cef

RandomlyGenerated:False

15:21:51:5388 Fiddler.BCCertMaker> BC-to-.NET Conversion took: 26ms.

15:21:51:5388 Fiddler.BCCertMaker> Caching EECert for p29-ckdatabase.icloud.com

15:21:51:5388 /Signaling [p29-ckdatabase.icloud.com] is ready, created by thread 79.

15:21:51:9148 !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException 调用 SSPI 失败，请参见内部异常。 < 证书链是由不受信任的颁发机构颁发的。 on pipe to (CN=p29-ckdatabase.icloud.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com).

15:21:52:2338 !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException 调用 SSPI 失败，请参见内部异常。 < 证书链是由不受信任的颁发机构颁发的。 on pipe to (CN=p29-ckdatabase.icloud.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com).

15:22:40:6648 !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException 调用 SSPI 失败，请参见内部异常。 < 证书链是由不受信任的颁发机构颁发的。 on pipe to (CN=p29-ckdatabase.icloud.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com).

[Eric Lawrence]

The two possibilities are:

1. You haven't correctly configured your phone to trust Fiddler's root certificate. Do you see decrypted traffic in Fiddler if you visit https://bayden.com/ in your browser? If not, this is the problem.

2. The app that is sending the traffic implemented CertPinning and rejects Fiddler's certificate. See http://fiddler.wikidot.com/certpinning