how to dynamically switch the client certificate

[yangzhijun]

Hi,

I have the following set up:
1. we have a C# test case which calls a RESTful web service using
https protocol. We installed client certificates and at the run time,
we select the certificate to use by searching the thumbprint.
2. To use the fiddler to capture the https traffic, in our code, we
call ServicePointManager.ServerCertificateValidationCallback += new
RemoteCertificateValidationCallback(true);
to allow using the fiddler generated certificate as the server
certificate to avoid the exception.
3. In the funtion OnBeforeRequest, I try to set the certificate based
on some criteria,
if (oSession.isHTTPS)
{
if (mystring == "1")
{
oSession["https-Client-Certificate"] = "c:\
\MyClientCertificate1.cer";
}
else
{
oSession["https-Client-Certificate"] = "c:\\MyClientCertificate2.cer";

}
}


The problem is the step 3 doesn't work. Fiddler still tries to use the
one in "%USERPROFILE%\My Documents\Fiddler2\ClientCertificate.cer. If
this file is not there, it prompts to find the file. If this file is
there, fiddler uses this certificate instead of the one I put in step
3.

Can anybody help on this?

[EricLaw]

The https-Client-Certificate property needs to be set on the CONNECT
tunnel, not the following HTTPS request that runs inside that tunnel.

If you want to use different client certificates on different requests
to the same server, you need to ensure that the connection established
previously isn't reused after the client certificate was attached to
it. You can close all currently active server connections by calling
FiddlerApplication.oProxy.PurgeServerPipePool(), or on the subsequent
session, you can set oSession.oFlags["X-Bypass-ServerPipe-Reuse-Pool"]
to any string value.

-Eric

[Zhijun Yang]

Thanks Eric.

 

I am not sure I understand your answer.

 

You mentioned CONNECT tunnel. Does that mean you add the certificate before making the web service call? I did that. But Fiddler ignores any certificate attached and instead looks for certificate from "%USERPROFILE%\My Documents\Fiddler2\ClientCertificate.cer" only. The script below has no effect.

My test calls one web method using one cert, then uses a second cert to call the second web method. If the fiddler is running, fiddler will intercept all the web method calls and uses its own cert and ignores whatever certs my code attached.

 

Thanks,

Patrick Yang

--
You received this message because you are subscribed to the Google Groups "Fiddler" group.
To post to this group, send email to httpf...@googlegroups.com.
To unsubscribe from this group, send email to httpfiddler...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/httpfiddler?hl=en.

[yangzhijun]

Can anybody answer my question?

> >http://groups.google.com/group/httpfiddler?hl=en.- 隐藏被引用文字 -
>
> - 显示引用的文字 -

[EricLaw]

Fiddler isn't able to "ignore any certificate attached." If you've
correctly specified the certificate on the CONNECT tunnel, Fiddler
will use it and will not prompt you for another one.

What does your code currently look like?

> >http://groups.google.com/group/httpfiddler?hl=en.- Hide quoted text -
>
> - Show quoted text -

[yangzhijun]

In the default fiddler script, I see the following line in the
OnBeforeRequest method:

if (oSession.isHTTPS)
{

oSession["https-Client-Certificate"] = "%USERPROFILE%\My Documents
\Fiddler2\ClientCertificate.cer";
}

According to the fiddler FAQ, this will make fiddler to use the
specifiied cert. You could change the file name here to use other
certificate. But it's actually has no effect. Can you please explain
what's the purpose of this line and how I could achieve my purpose (to
use a different file here)?

Thanks,
Patrick Yang

> > >http://groups.google.com/group/httpfiddler?hl=en.-Hide quoted text -
>
> > - Show quoted text -- 隐藏被引用文字 -
>
> - 显示引用的文字 -

[yangzhijun]

Hi Eric,

Can you shed some lights on this?

Thanks,
Patrick Yang

> > > >http://groups.google.com/group/httpfiddler?hl=en.-Hidequoted text -

>
> > > - Show quoted text -- 隐藏被引用文字 -
>

> > - 显示引用的文字 -- 隐藏被引用文字 -
>
> - 显示引用的文字 -

[EricLaw]

Fiddler's default script doesn't contain the line in question. I'm not
sure whether you're suggesting that you've added it?

The IsHTTPS property isn't True on the CONNECT tunnel, if that's what
you were hoping.

You could instead do something like:

if (oSession.HTTPMethodIs("CONNECT")){
// This is a CONNECT tunnel, which means it's either a HTTPS tunnel or
a HTML5 WebSocket tunnel

> > > > >http://groups.google.com/group/httpfiddler?hl=en.-Hidequotedtext -

>
> > > > - Show quoted text -- 隐藏被引用文字 -
>
> > > - 显示引用的文字 -- 隐藏被引用文字 -
>

> > - 显示引用的文字 -- Hide quoted text -

[yangzhijun]

Thanks Eric.

I think I add that code based on the following Help instructions:

Can you reply to the following question:

I found the following form this site: http://www.fiddler2.com/Fiddler/help/httpsclientcerts.asp

Selection of Client Certificate
If a .CER file has been specified for a given session as follows:
oSession["https-Client-Certificate"] = "C:\\test\\someCert.cer";
...then Fiddler will simply use that certificate for the current
session.
Otherwise, Fiddler will look for the file %USERPROFILE%\My Documents
\Fiddler2\ClientCertificate.cer and attach that certificate.

My question is how to specify this line oSession["https-Client-
Certificate"] = "C:\\test\\someCert.cer";?
It seems Fiddler always tries to find the cert from %USERPROFILE%\My
Documents\Fiddler2\ClientCertificate.cer

Thanks,
Patrick Yang