Feature request: Selective disabling of RemoteCertificateNameMismatch
1,191 views
Skip to first unread message
term srv
Jan 16, 2015, 3:55:45 PM1/16/15
to httpf...@googlegroups.com
There are several websites I frequent that I will receive a messagebox from Fiddler alerting me to a remote certificate name mismatch. For example, whitehouse.gov:
The remote server (www.whitehouse.gov) presented a certificate that did not validate, due to RemoteCertificateNameMismatch.
SUBJECT: CN=a248.e.akamai.net, O="Akamai Technologies, Inc.", L=Cambridge, S=MA, C=US
ISSUER: CN=Cybertrust Public SureServer SV CA, O=Cybertrust Inc
EXPIRES: 6/12/2015 4:35:45 PM
(This warning can be disabled by clicking Tools | Fiddler Options.)
I don't want to disable this feature all the time, just for certain sites. I'm sure I could edit the rules manually but I wonder if you could add a checkbox to the messagebox like "don't show again for this host" or something. Thanks
The remote server (www.whitehouse.gov) presented a certificate that did not validate, due to RemoteCertificateNameMismatch.
SUBJECT: CN=a248.e.akamai.net, O="Akamai Technologies, Inc.", L=Cambridge, S=MA, C=US
ISSUER: CN=Cybertrust Public SureServer SV CA, O=Cybertrust Inc
EXPIRES: 6/12/2015 4:35:45 PM
(This warning can be disabled by clicking Tools | Fiddler Options.)
I don't want to disable this feature all the time, just for certain sites. I'm sure I could edit the rules manually but I wonder if you could add a checkbox to the messagebox like "don't show again for this host" or something. Thanks
EricLaw
Jan 20, 2015, 11:43:43 AM1/20/15
to httpf...@googlegroups.com
As you may have noticed, exceptions are stored for the lifetime of Fiddler, and for security reasons, do not persist across multiple sessions.
Generally speaking, errors of this nature should never be ignored, and you should fail the connection if they are encountered, just as most browsers do.
On any given CONNECT tunnel, you can ignore a CN mismatch thusly:
if (oSession.HTTPMethodIs("CONNECT") && oSession.HostnameIs("www.whitehouse.gov"))
{
oSession["X-IgnoreCertCNMismatch"] = "Thanks Obama!";
}
Alternatively, the FiddlerApplication.OnValidateServerCertificate event fires to allow you to control certificate validation behavior. From FiddlerScript, you'd do something like:
static function ValidateCert(sender, ea: ValidateServerCertificateEventArgs)
{
MessageBox.Show(" Got " + ea.ServerCertificate.Subject + " for " + ea.Session.hostname);
ea.ValidityState = CertificateValidity.ForceValid;
}
And inside OnBoot you'd hook up the event handler:
FiddlerApplication.add_OnValidateServerCertificate(ValidateCert);
Note: You can also use this event to attach the base64-encoded version of the certificate to the Session as a Flag field, in answer to the other question you just asked. :-)
term srv
Jan 21, 2015, 2:02:24 AM1/21/15
to httpf...@googlegroups.com
Thanks I have started experimenting with this. I have a few questions.
In the Fiddler help document for CertificateValidity enumeration:
ForceInvalid Force the certificate to be considered Valid, regardless of the value of CertificatePolicyErrors.
ForceValid Force the certificate to be considered Invalid, regardless of the value of CertificatePolicyErrors.
Emphasis is mine. You have also quoted this section of the documentation several times online (I came across it during web searches). Is this a mistake? Why would ForceValid force the certificate to be invalid, that's very confusing.
Second question I'm playing with your sample but I'm having a weird problem. I have done exactly what you said. However then I added a line to ValidateCert that does essentially the same thing as get the subject:
MessageBox.Show(" Got " + ea.ServerCertificate.ToString() + " for " + ea.Session.hostname);
Now here's what's weird. In the Fiddler2 editor I commented out all three lines and clicked save, and I heard the OK sound but I still get message box popups as if I never commented the lines out. It's like Fiddler didn't load the updated function, and my question is should it? For example here is my function, saved multiple times with ok confirmation sound.
In the Fiddler help document for CertificateValidity enumeration:
ForceInvalid Force the certificate to be considered Valid, regardless of the value of CertificatePolicyErrors.
ForceValid Force the certificate to be considered Invalid, regardless of the value of CertificatePolicyErrors.
Emphasis is mine. You have also quoted this section of the documentation several times online (I came across it during web searches). Is this a mistake? Why would ForceValid force the certificate to be invalid, that's very confusing.
Second question I'm playing with your sample but I'm having a weird problem. I have done exactly what you said. However then I added a line to ValidateCert that does essentially the same thing as get the subject:
MessageBox.Show(" Got " + ea.ServerCertificate.ToString() + " for " + ea.Session.hostname);
Now here's what's weird. In the Fiddler2 editor I commented out all three lines and clicked save, and I heard the OK sound but I still get message box popups as if I never commented the lines out. It's like Fiddler didn't load the updated function, and my question is should it? For example here is my function, saved multiple times with ok confirmation sound.
static function ValidateCert(sender, ea: ValidateServerCertificateEventArgs)
{
//MessageBox.Show(" Got " + ea.ServerCertificate.Subject + " for " + ea.Session.hostname);
//MessageBox.Show(" Got " + ea.ServerCertificate.ToString() + " for " + ea.Session.hostname);
ea.ValidityState = CertificateValidity.ForceValid;
}
Yet weirdly I still get the message box popups. Did I do something wrong or do I just not understand what is happening or is this a bug?
//MessageBox.Show(" Got " + ea.ServerCertificate.ToString() + " for " + ea.Session.hostname);
ea.ValidityState = CertificateValidity.ForceValid;
}
Yet weirdly I still get the message box popups. Did I do something wrong or do I just not understand what is happening or is this a bug?
EricLaw
Jan 21, 2015, 8:44:03 PM1/21/15
to httpf...@googlegroups.com
Looks like there's a typo in the doc comment; thanks.
As for the behavior you describe-- Event handlers in FiddlerScript are very tricky. If you want it to work like you expect it to, you should put
FiddlerApplication.add_OnValidateServerCertificate(ValidateCert);
inside the Main function, and inside the OnRetire function, add
FiddlerApplication.remove_OnValidateServerCertificate(ValidateCert);
Otherwise, you end up with an event handler that is firing inside the old-but-still-loaded instance of the script. Wild, huh?
term srv
Jan 27, 2015, 3:26:13 AM1/27/15
to httpf...@googlegroups.com
Yeah that's weird. I'll watch out for that, thanks.
Here's what I have so far for my ValidateCert function. I have it set to automatically deny certain hosts silently via ForceInvalid. For example I have whitehouse.gov on the list. Then for any host not on the list I dump the certificate chain. It works but I have a few problems I haven't been able to solve:
Is it possible to prevent logging a website I am using ForceInvalid on? For example I don't care about the invalid whitehouse.gov but I still get this in my log:
Because I monitor the log for anything containing regex (?i)exception every time that happens I hear a ding. Can I do something in ValidateCert that will squelch the exception from the log?
I can't figure out how to use frmAlert to emulate what Fiddler is doing where it alerts using a presized dialog with a text control and a scrollbar. I can make a regular alert using FiddlerObject.alert but because of the base64 certificates the message box is often so big that it expands off screen. For now I'm just logging instead, and I don't change the ValidityState to allow Fiddler's frmAlert prompt to handle it.
I can't get the status information when something is wrong with a certificate. For example go to mozilla test https://kuix.de:9455. Normally for me Fiddler shows a frmAlert with each of the status reasons:
But when I do it that doesn't work. I enumerate each X509ChainElement and get the ChainElementStatus and the elements are there, apparently, but there's no text (undefined). How are you doing it? If you use my function in Fiddler v4.4.9.8 here's what you'll get:
Thanks
Here's what I have so far for my ValidateCert function. I have it set to automatically deny certain hosts silently via ForceInvalid. For example I have whitehouse.gov on the list. Then for any host not on the list I dump the certificate chain. It works but I have a few problems I haven't been able to solve:
Is it possible to prevent logging a website I am using ForceInvalid on? For example I don't care about the invalid whitehouse.gov but I still get this in my log:
fiddler.network.https> HTTPS handshake to www.whitehouse.gov failed. System.Security.Authentication.AuthenticationException The remote certificate is invalid according to the validation procedure.
Because I monitor the log for anything containing regex (?i)exception every time that happens I hear a ding. Can I do something in ValidateCert that will squelch the exception from the log?
I can't figure out how to use frmAlert to emulate what Fiddler is doing where it alerts using a presized dialog with a text control and a scrollbar. I can make a regular alert using FiddlerObject.alert but because of the base64 certificates the message box is often so big that it expands off screen. For now I'm just logging instead, and I don't change the ValidityState to allow Fiddler's frmAlert prompt to handle it.
I can't get the status information when something is wrong with a certificate. For example go to mozilla test https://kuix.de:9455. Normally for me Fiddler shows a frmAlert with each of the status reasons:
Session #19082: The remote server (kuix.de) presented a certificate that did not validate, due to RemoteCertificateChainErrors.
0 - A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
1 - The revocation function was unable to check revocation for the certificate.
2 - The revocation function was unable to check revocation because the revocation server was offline.
SUBJECT: CN=kuix.de, O=Test Org with CA true, L=Test Loc, S=Test State, C=DE
ISSUER: CN=Kai's Test CA 2048 sha1, O=Test Org, L=Test Loc, S=Test State, C=DE
EXPIRES: 9/7/2064 7:36:20 AM
But when I do it that doesn't work. I enumerate each X509ChainElement and get the ChainElementStatus and the elements are there, apparently, but there's no text (undefined). How are you doing it? If you use my function in Fiddler v4.4.9.8 here's what you'll get:
02:31:07:1492 Session #19085: The remote server (kuix.de) presented a certificate that did not validate, due to RemoteCertificateChainErrors.
## SUBJECT: CN=kuix.de, O=Test Org with CA true, L=Test Loc, S=Test State, C=DE
## ISSUER: CN=Kai's Test CA 2048 sha1, O=Test Org, L=Test Loc, S=Test State, C=DE
## EXPIRES: 9/7/2064 7:36:20 AM
## STATUS: undefined
## STATUS: undefined
[base64 certificate]
## SUBJECT: CN=Kai's Test CA 2048 sha1, O=Test Org, L=Test Loc, S=Test State, C=DE
## ISSUER: CN=Kai's Test CA 2048 sha1, O=Test Org, L=Test Loc, S=Test State, C=DE
## EXPIRES: 1/7/2073 6:30:48 AM
## STATUS: undefined
[base64 certificate]
Thanks
EricLaw
Jan 27, 2015, 12:20:11 PM1/27/15
to httpf...@googlegroups.com
No, there's no option to suppress log entries. You could obviously use a more complicated regular expression that excludes AuthenticationException entries.
frmAlert is simply a dialog wrapper. You'd use it from C# like so:
frmAlert oAlert = new frmAlert(sTitle,
String.Format("Session #{0}: The remote server ({1}) presented {2}\r\n\r\nSUBJECT: {3}\r\nISSUER: {4}\r\nEXPIRES: {5}\r\n\r\n{6}", oS.id, sExpectedCN, sErrString, certificate.Subject, certificate.Issuer, certificate.GetExpirationDateString(), sDisableMsg),
sPrompt,
MessageBoxButtons.YesNo, MessageBoxDefaultButton.Button2);
oAlert.TopMost = true;
oAlert.StartPosition = FormStartPosition.CenterScreen;
String.Format("Session #{0}: The remote server ({1}) presented {2}\r\n\r\nSUBJECT: {3}\r\nISSUER: {4}\r\nEXPIRES: {5}\r\n\r\n{6}", oS.id, sExpectedCN, sErrString, certificate.Subject, certificate.Issuer, certificate.GetExpirationDateString(), sDisableMsg),
sPrompt,
MessageBoxButtons.YesNo, MessageBoxDefaultButton.Button2);
oAlert.TopMost = true;
oAlert.StartPosition = FormStartPosition.CenterScreen;
DialogResult oResult = (DialogResult)FiddlerApplication._frmMain.Invoke(new getDecisionDelegate(FiddlerApplication._frmMain.GetDecision), new object[] { oAlert });
return (DialogResult.Yes == oResult);
Generating the list of Chain errors is done thusly:
if (((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) == SslPolicyErrors.RemoteCertificateChainErrors) &&
(null != chain))
{
StringBuilder sbErrors = new StringBuilder();
(null != chain))
{
StringBuilder sbErrors = new StringBuilder();
sbErrors.Append("\n");
for (int i = 0; i < chain.ChainStatus.Length; i++)
{
sbErrors.AppendFormat("\n{0} - {1}", i, chain.ChainStatus[i].StatusInformation);
}
sChainErrors = sbErrors.ToString();
}
for (int i = 0; i < chain.ChainStatus.Length; i++)
{
sbErrors.AppendFormat("\n{0} - {1}", i, chain.ChainStatus[i].StatusInformation);
}
sChainErrors = sbErrors.ToString();
}
Reply all
Reply to author
Forward
0 new messages