Certificate Generation Failure

923 views
Skip to first unread message

dean...@bakedbean.org.uk

unread,
Jul 19, 2013, 5:58:48 AM7/19/13
to httpf...@googlegroups.com
Hi,

We're using FiddlerCore to intercept HTTPS requests in our application and we're intermittently getting errors when creating certificates for the interception. Everything starts off fine Fiddler happily creates certificates for each destination. We then kick off a large number of threads, many accessing the same website, and we start to get the following log output.

2013-07-18 16:04:36.858 [40] [DEBUG] - /Fiddler.CertMaker> Invoking makecert.exe with arguments: -pe -ss my -n "CN=www.example.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha1 -m 132 -b 07/17/2012
2013-07-18 16:04:37.061 [40] [DEBUG] - /Fiddler.CertMaker>40-CreateCert(www.example.com) => (-1)
Results from MakeCert.exe -pe -ss my -n "CN=www.example.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha1 -m 132 -b 07/17/2012

Error: Fail to acquire a security provider from the issuer's certificate
Failed
-------------------------------------------

2013-07-18 16:04:37.061 [40] [DEBUG] - Fiddler.CertMaker> [MakeCert.exe -pe -ss my -n "CN=www.example.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha1 -m 132 -b 07/17/2012] Returned Error: Creation of the interception certificate failed.

makecert.exe returned -1.

Results from MakeCert.exe -pe -ss my -n "CN=www.example.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha1 -m 132 -b 07/17/2012

Error: Fail to acquire a security provider from the issuer's certificate
Failed
-------------------------------------------
 
2013-07-18 16:04:37.061 [40] [DEBUG] - !Fiddler.CertMaker> Tried to create cert for www.example.com, but can't find it from thread 40!
2013-07-18 16:04:37.061 [40] [DEBUG] - fiddler.https> Failed to obtain certificate for www.example.com due to Certificate Maker returned null when asked for a certificate for www.example.com

This seems to start happening when two or more threads try to make the same certificate. I've poked around in the source using Reflector and it looks like certificate creation is enclosed in a writer lock so I'm struggling to see how there could be a race condition there.

If I try to run this command from the command line it continues to fail but if I have FiddlerCore re-install the root certificate it magically starts working again! Is there some way that makecert could be corrupting the root certificate?

Any help would be greatly appreciated!

Thanks,
Dean

EricLaw

unread,
Jul 19, 2013, 10:52:02 AM7/19/13
to httpf...@googlegroups.com
Hi, Dean! Can you confirm that you're using the very latest version of the FiddlerCore library? In the current builds, there should only ever be a single outstanding call to create a given certificate; all of the other threads block waiting on creation kicked off by another thread.
 
Do you know if the machine in question has a 3rd party Cryptographic Service Provider (e.g. Entrust) installed? These are often installed with SmartCard software, and several folks have reported problems with these CSPs.
 
In the near future, the BouncyCastle-based certificate maker will be available for use in FiddlerCore; that generator doesn't use the system's CSPs and should be immune to problems in that area.

dean...@bakedbean.org.uk

unread,
Jul 19, 2013, 11:32:11 AM7/19/13
to httpf...@googlegroups.com
Hi Eric,
We're running 4.4.4.8 which seems to be the latest version on fiddler2.com. It doesn't look like there are any custom CSPs installed:

Name                                                        Type
----                                                        ----
Microsoft Base Cryptographic Provider v1.0                  RSA Full (Signature and Key Exchange)
Microsoft Base DSS and Diffie-Hellman Cryptographic Prov... DSS Signature with Diffie-Hellman Key Exchange
Microsoft Base DSS Cryptographic Provider                   DSS Signature
Microsoft Base Smart Card Crypto Provider                   RSA Full (Signature and Key Exchange)
Microsoft DH SChannel Cryptographic Provider                Diffie-Hellman SChannel
Microsoft Enhanced Cryptographic Provider v1.0              RSA Full (Signature and Key Exchange)
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic ... DSS Signature with Diffie-Hellman Key Exchange
Microsoft Enhanced RSA and AES Cryptographic Provider       RSA Full and AES
Microsoft RSA SChannel Cryptographic Provider               RSA SChannel
Microsoft Strong Cryptographic Provider                     RSA Full (Signature and Key Exchange)

It's good to hear that the certificate maker is being tweaked to mitigate problems like this, although I must admit this is the first time I've come across such an issue.

We're working around the issue right now by wrapping the DefaultCertificateMaker and if it returns null we reinstall the root certificate and re-call the method. It's not nice but it skirts around the problem at the moment.

Thanks!
Dean

EricLaw

unread,
Aug 9, 2013, 3:00:34 PM8/9/13
to httpf...@googlegroups.com
A new version of FiddlerCore (2.4.5.0) with the plugin certificate generator has been released. Learn more at http://fiddler2.com/fiddlercore

thanks!
-Eric
Reply all
Reply to author
Forward
0 new messages