Another certificate creation error and HTTPS doesn't work
862 views
Skip to first unread message
Sly
Aug 9, 2009, 2:57:52 AM8/9/09
to Fiddler
1. After deleting the DO_NOT_TRUST* certificates, the first time I try
to go to an SSL page, I get a certificate creation error:
---------------------------
Unable to Generate Certificate
---------------------------
Creation of the interception certificate failed.
makecert.exe returned -1.
Results from C:\Program Files\Fiddler2\MakeCert.exe -pe -ss my -n
"CN=www.comsec.com.au, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com"
-sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku
1.3.6.1.5.5.7.3.1 -cy end -a sha1
Error: Save encoded certificate to store failed => 0x4c8 (1224)
Failed
-------------------------------------------
2. Actual certificates are created (visible in the MMC certificates
snap-in).
3. If I try to go to the same site again, the raw request reported in
Fiddler has Protocol = "HTTP" (not HTTPS). The request does not work
and the browser (Firefox) reports "Data Transfer Interrupted".
-------------------------------------------
CONNECT www.comsec.com.au:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:
1.9.0.13) Gecko/2009073022 Firefox/3.0.13 (.NET CLR 3.5.30729)
Proxy-Connection: keep-alive
Host: www.comsec.com.au
-------------------------------------------
The response is:
-------------------------------------------
HTTP/1.1 200 DecryptTunnel Established
Timestamp: 16:44:09:1866
FiddlerGateway: Direct
This is a HTTPS CONNECT Tunnel. Secure traffic flows through this
connection.
Secure Protocol: Tls
Cipher: Rc4 128bits
Hash Algorithm: Md5 128bits
Key Exchange: RsaKeyX 1024bits
== Client Certificate ==========
None.
== Server Certificate ==========
[Subject]
CN=www.comsec.com.au, OU=e-Business, O=Commonwealth Securities
Limited, STREET=L 18 363 GEORGE ST, L=Sydney, S=NSW, PostalCode=2000,
C=AU, SERIALNUMBER=067 254 399, OID.2.5.4.15="V1.0, Clause 5.(b)", OID.
1.3.6.1.4.1.311.60.2.1.1=., OID.1.3.6.1.4.1.311.60.2.1.2=., OID.
1.3.6.1.4.1.311.60.2.1.3=AU
... (etc)
-------------------------------------------
to go to an SSL page, I get a certificate creation error:
---------------------------
Unable to Generate Certificate
---------------------------
Creation of the interception certificate failed.
makecert.exe returned -1.
Results from C:\Program Files\Fiddler2\MakeCert.exe -pe -ss my -n
"CN=www.comsec.com.au, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com"
-sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku
1.3.6.1.5.5.7.3.1 -cy end -a sha1
Error: Save encoded certificate to store failed => 0x4c8 (1224)
Failed
-------------------------------------------
2. Actual certificates are created (visible in the MMC certificates
snap-in).
3. If I try to go to the same site again, the raw request reported in
Fiddler has Protocol = "HTTP" (not HTTPS). The request does not work
and the browser (Firefox) reports "Data Transfer Interrupted".
-------------------------------------------
CONNECT www.comsec.com.au:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:
1.9.0.13) Gecko/2009073022 Firefox/3.0.13 (.NET CLR 3.5.30729)
Proxy-Connection: keep-alive
Host: www.comsec.com.au
-------------------------------------------
The response is:
-------------------------------------------
HTTP/1.1 200 DecryptTunnel Established
Timestamp: 16:44:09:1866
FiddlerGateway: Direct
This is a HTTPS CONNECT Tunnel. Secure traffic flows through this
connection.
Secure Protocol: Tls
Cipher: Rc4 128bits
Hash Algorithm: Md5 128bits
Key Exchange: RsaKeyX 1024bits
== Client Certificate ==========
None.
== Server Certificate ==========
[Subject]
CN=www.comsec.com.au, OU=e-Business, O=Commonwealth Securities
Limited, STREET=L 18 363 GEORGE ST, L=Sydney, S=NSW, PostalCode=2000,
C=AU, SERIALNUMBER=067 254 399, OID.2.5.4.15="V1.0, Clause 5.(b)", OID.
1.3.6.1.4.1.311.60.2.1.1=., OID.1.3.6.1.4.1.311.60.2.1.2=., OID.
1.3.6.1.4.1.311.60.2.1.3=AU
... (etc)
-------------------------------------------
EricLaw
Aug 9, 2009, 6:00:55 PM8/9/09
to Fiddler
It sounds like the certificates aren't begin properly generated, which
means that Fiddler isn't properly able to use them. I'm afraid that I
don't know of good options for troubleshooting MakeCert errors, as
it's not my code and I know little about how it works.
Can you try the latest alpha? http://www.fiddler2.com/dl/fiddler2alphasetup.exe
It includes the latest makecert.exe from the Win7 SDK.
Fiddler always shows the protocol for CONNECT tunnels as "HTTP"
because the tunnels *are* using HTTP. It's the HTTPS traffic that is
sent through the tunnel after it's established.
On Aug 8, 11:57 pm, Sly <s...@gamertheory.net> wrote:
> 1. After deleting the DO_NOT_TRUST* certificates, the first time I try
> to go to an SSL page, I get a certificate creation error:
>
> ---------------------------
> Unable to Generate Certificate
> ---------------------------
> Creation of the interception certificate failed.
>
> makecert.exe returned -1.
>
> Results from C:\Program Files\Fiddler2\MakeCert.exe -pe -ss my -n
> "CN=www.comsec.com.au, O=DO_NOT_TRUST, OU=Created byhttp://www.fiddler2.com"
means that Fiddler isn't properly able to use them. I'm afraid that I
don't know of good options for troubleshooting MakeCert errors, as
it's not my code and I know little about how it works.
Can you try the latest alpha? http://www.fiddler2.com/dl/fiddler2alphasetup.exe
It includes the latest makecert.exe from the Win7 SDK.
Fiddler always shows the protocol for CONNECT tunnels as "HTTP"
because the tunnels *are* using HTTP. It's the HTTPS traffic that is
sent through the tunnel after it's established.
On Aug 8, 11:57 pm, Sly <s...@gamertheory.net> wrote:
> 1. After deleting the DO_NOT_TRUST* certificates, the first time I try
> to go to an SSL page, I get a certificate creation error:
>
> ---------------------------
> Unable to Generate Certificate
> ---------------------------
> Creation of the interception certificate failed.
>
> makecert.exe returned -1.
>
> Results from C:\Program Files\Fiddler2\MakeCert.exe -pe -ss my -n
Scott Rankin
Aug 11, 2009, 2:58:51 PM8/11/09
to Fiddler
I'm not sure that it's related to the certificate generation, because
at least for me, I'm no longer getting the MakeCert errors with the
last couple of alpha builds. And I have the same experience as Sly,
because the HTTP CONNECT to establish the tunnel returns a 200. But
then it's as if the browser can't make any requests through the
tunnel.
What sort of information would be helpful for you, Eric, to help
diagnose this? Would some sort of WireShark traffic logs be useful?
at least for me, I'm no longer getting the MakeCert errors with the
last couple of alpha builds. And I have the same experience as Sly,
because the HTTP CONNECT to establish the tunnel returns a 200. But
then it's as if the browser can't make any requests through the
tunnel.
What sort of information would be helpful for you, Eric, to help
diagnose this? Would some sort of WireShark traffic logs be useful?
Reply all
Reply to author
Forward
0 new messages