Java certificate verification warning disappears when going through fiddler
80 views
Skip to first unread message
JohnW
Aug 4, 2011, 12:07:32 PM8/4/11
to Fiddler
We're experiencing an issue where a Java client is accesssing a
website whose SSL certificate was issued by an intermediate CA. When
this happens, Java displays a warning stating that the certificate
can't be verified. IE has no problem with the cert, and we have Java
configured to use certs & keys in the browser's keystore.
I thought I'd look at the conversation through Fiddler to get some
more insight into what was going on. Interestingly, Java no longer
displays the warning when I access the site through Fiddler running;
it repros if I close fiddler and access the site again.
(as an aside, the problem also goes away if I copy the issuing CA cert
from the intermediate CA store to the trusted root CA store; this is
not an option for production).
Does anyone know why the behavior may change when fiddler is running?
website whose SSL certificate was issued by an intermediate CA. When
this happens, Java displays a warning stating that the certificate
can't be verified. IE has no problem with the cert, and we have Java
configured to use certs & keys in the browser's keystore.
I thought I'd look at the conversation through Fiddler to get some
more insight into what was going on. Interestingly, Java no longer
displays the warning when I access the site through Fiddler running;
it repros if I close fiddler and access the site again.
(as an aside, the problem also goes away if I copy the issuing CA cert
from the intermediate CA store to the trusted root CA store; this is
not an option for production).
Does anyone know why the behavior may change when fiddler is running?
JohnW
Aug 4, 2011, 12:54:22 PM8/4/11
to Fiddler
I should also note that fiddler has 'ignore certificate errors'
unchecked.
unchecked.
EricLaw
Aug 4, 2011, 2:22:36 PM8/4/11
to Fiddler
Is Fiddler configured to decrypt HTTPS traffic?
JohnW
Aug 4, 2011, 4:27:42 PM8/4/11
to Fiddler
Yes. The application is only available via SSL.
JohnW
Aug 4, 2011, 4:28:10 PM8/4/11
to Fiddler
Yes - the app is only available through HTTPS.
EricLaw
Aug 4, 2011, 4:40:56 PM8/4/11
to Fiddler
If Fiddler is configured to decrypt HTTPS traffic, then it generates
its own interception certificate which is returned to the app. Learn
more here:
http://www.fiddler2.com/fiddler/help/httpsdecryption.asp
My guess is that your server is returning a certificate that contains
an AIA pointer that points to the next chain up. Not all HTTPS stacks
have the ability to build chains using AIA (e.g. Firefox doesn't, IE/
Fiddler does), and thus they would show a certificate error upon
encountering such a certificate. Because Fiddler knows how to validate
such chains, you wouldn't see an error from Fiddler, and because
Fiddler returns a directly-trusted Interception certificate to the
client while intercepting, the client no longer complains.
The server should be configured to return the full certificate chain
in order to interoperate with clients that cannot do AIA retrieval.
its own interception certificate which is returned to the app. Learn
more here:
http://www.fiddler2.com/fiddler/help/httpsdecryption.asp
My guess is that your server is returning a certificate that contains
an AIA pointer that points to the next chain up. Not all HTTPS stacks
have the ability to build chains using AIA (e.g. Firefox doesn't, IE/
Fiddler does), and thus they would show a certificate error upon
encountering such a certificate. Because Fiddler knows how to validate
such chains, you wouldn't see an error from Fiddler, and because
Fiddler returns a directly-trusted Interception certificate to the
client while intercepting, the client no longer complains.
The server should be configured to return the full certificate chain
in order to interoperate with clients that cannot do AIA retrieval.
Reply all
Reply to author
Forward
0 new messages