Not including all SANs when generating certificate

Progress® Telerik® Fiddler™ Classic Feedback Portal

Create an account Log In

Back to Feed

Request a Feature Report a Bug

Unplanned

Last Updated: 29 Jul 2019 08:56 by ADMIN

Imported User

Created on: 10 Jul 2018 16:06

Type: Feature Request

Not including all SANs when generating certificate

When Fiddler generates a certificate based on the original server certificate (using oSession["X-UseCertCNFromServer"]), it doesn't include all ServerAltNames from the original certificate.

2 comments

Michael

Posted on: 19 Jul 2019 16:26

I am an Exchange admin supporting many different environments. One type of test I have not been able to achieve is the Outlook 2010 autoconfig and login to O365 Exchange Online. If I use Fiddler, it is causing Outlook 2010 to throw an error about a certificate issue. The error is logged in the Event Viewer on the workstation as follows:

The connect is made in all cases.
The Outlook 2010 client does not send this POST on the workstation that fails.
Instead, it pops up the certificate error.
The site it is connecting to is outlook.office365.com so Fiddler is using it's copy of the *.office365.com Man-in-the-middle certificate.
However, the servername in the request appears to be outlook.com which is a name that is NOT in the Fiddler certificate.

Outlook 2010
POST https://outlook.office365.com/mapi/nspi/?MailboxId=160667e8-4ab0-4538-aa01-c4d7b7411ab0@hallmark.com HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/mapi-http
Accept: application/mapi-http
User-Agent: Microsoft Office/14.0 (Windows NT 6.2; Microsoft Outlook 14.0.7232; Pro)
X-ClientApplication: Outlook/14.0.7160.5000
X-ClientInfo: {4E9EEAEB-A3B0-4887-97B7-349520A14205}:8
X-RequestId: {5E0E6D7A-FECE-4BDB-9862-1EA4A0FB37CC}:2
X-RequestType: Bind
Content-Length: 45
Host: outlook.office365.com

Outlook 2016
POST https://outlook.office365.com/mapi/nspi/?MailboxId=160667e8-4ab0-4538-aa01-c4d7b7411ab0@hallmark.com HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/mapi-http
Accept: application/mapi-http
Authorization: Bearer
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.10730; Pro)
X-MS-CookieUri-Requested: t
X-FeatureVersion: 1
Client-Request-Id: {8D6A8ABC-4132-48A6-B0A0-E47AE7705D64}
X-User-Identity: ADMNMSGSPRTMMINT@hallmark.com
X-ClientApplication: Outlook/16.0.10730.20344
X-ClientInfo: {7AD54975-5BD7-456C-90FF-29A99476190D}:54920011
X-RequestId: {A69DCEC7-9688-4953-A63C-CB091F138B6B}:2
X-RequestType: Bind
Content-Length: 45
Host: outlook.office365.com

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>30</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>30</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000001</Keywords>
<TimeCreated SystemTime="2019-07-19T15:58:48.276790800Z" />
<EventRecordID>7343</EventRecordID>
<Correlation />
<Execution ProcessID="5020" ThreadID="6008" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>--redacted--</Computer>
<Security UserID="S-1-5-21-1972130769-602808571-1672037986-778200" />
</System>
- <UserData>
- <CertVerifyCertificateChainPolicy>
<Policy type="CERT_CHAIN_POLICY_SSL" constant="4" />
<Certificate fileRef="8CFC8A6EA5892FF0D96775887A68C7030368E707.cer" subjectName="outlook.office365.com" />
<CertificateChain chainRef="{C7EB41F7-F707-4338-ABC7-18254291B8E5}" />
<Flags value="0" />
- <SSLAdditionalPolicyInfo authType="server" serverName="outlook.com">
<IgnoreFlags value="0" />
</SSLAdditionalPolicyInfo>
<Status chainIndex="0" elementIndex="0" />
<EventAuxInfo ProcessName="OUTLOOK.EXE" />
<CorrelationAuxInfo TaskId="{89928356-7A0D-41BB-8D12-5CA1868A9609}" SeqNumber="1" />
<Result value="800B010F">The certificate's CN name does not match the passed value.</Result>
</CertVerifyCertificateChainPolicy>
</UserData>
</Event>

The reason seems to be that the Microsoft certificate contains SANS for the following:

HTTP/1.0 200 Connection established

Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.

Secure Protocol: Tls12
Cipher: Aes256 256bits
Hash Algorithm: Sha384 ?bits
Key Exchange: ECDHE_RSA (0xae06) 256bits

== Server Certificate ==========
[Subject]
CN=outlook.com, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

[Issuer]
CN=DigiCert Cloud Services CA-1, O=DigiCert Inc, C=US

[Serial Number]
0A482808DEBCA410920F876A6305A1E9

[Not Before]
11/17/2018 6:00:00 PM

[Not After]
11/18/2020 6:00:00 AM

[Thumbprint]
05B8364C33E5637EFD88E0A3B87E7DCF6F8DD0D4

[SubjectAltNames]
*.internal.outlook.com, *.outlook.com, outlook.com, office365.com, *.office365.com, *.outlook.office365.com, *.office.com, outlook.office.com, substrate.office.com, attachment.outlook.live.net, attachment.outlook.office.net, attachment.outlook.officeppe.net, attachments.office.net, *.clo.footprintdns.com, *.nrb.footprintdns.com, ccs.login.microsoftonline.com, ccs-sdf.login.microsoftonline.com, substrate-sdf.office.com, attachments-sdf.office.net, *.live.com, mail.services.live.com, hotmail.com, *.hotmail.com

----------------------------------------------------------------

As a workaround:

Would it be possible to use makecert on the workstation to generate this certificate and replace the default one that Fiddler generated?

Thanks,

Michael Minter

Eric

Posted on: 12 Jul 2018 05:00

This is a great bug-- valid, relatively easy to fix, and without a good workaround. See https://groups.google.com/forum/#!topic/httpfiddler/I5TQosfeFow for discussion.