Not including all SANs when generating certificate
When Fiddler generates a certificate based on the original server certificate (using oSession["X-UseCertCNFromServer"]), it doesn't include all ServerAltNames from the original certificate.
2 comments
Michael
Posted on:19 Jul 2019 16:26
I am an Exchange admin supporting many different environments. One type of test I have not been able to achieve is the Outlook 2010 autoconfig and login to O365 Exchange Online. If I use Fiddler, it is causing Outlook 2010 to throw an error about a certificate issue. The error is logged in the Event Viewer on the workstation as follows:
The connect is made in all cases. The Outlook 2010 client does not send this POST on the workstation that fails. Instead, it pops up the certificate error. The site it is connecting to is outlook.office365.com so Fiddler is using it's copy of the *.office365.com Man-in-the-middle certificate. However, the servername in the request appears to be outlook.com which is a name that is NOT in the Fiddler certificate.
Outlook 2010 POST https://outlook.office365.com/mapi/nspi/?MailboxId=160667e8-4ab0-4538-aa01-c4d7b7411ab0@hallmark.com HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/mapi-http Accept: application/mapi-http User-Agent: Microsoft Office/14.0 (Windows NT 6.2; Microsoft Outlook 14.0.7232; Pro) X-ClientApplication: Outlook/14.0.7160.5000 X-ClientInfo: {4E9EEAEB-A3B0-4887-97B7-349520A14205}:8 X-RequestId: {5E0E6D7A-FECE-4BDB-9862-1EA4A0FB37CC}:2 X-RequestType: Bind Content-Length: 45 Host: outlook.office365.com
Outlook 2016 POST https://outlook.office365.com/mapi/nspi/?MailboxId=160667e8-4ab0-4538-aa01-c4d7b7411ab0@hallmark.com HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/mapi-http Accept: application/mapi-http Authorization: Bearer User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.10730; Pro) X-MS-CookieUri-Requested: t X-FeatureVersion: 1 Client-Request-Id: {8D6A8ABC-4132-48A6-B0A0-E47AE7705D64} X-User-Identity: ADMNMSGSPRTMMINT@hallmark.com X-ClientApplication: Outlook/16.0.10730.20344 X-ClientInfo: {7AD54975-5BD7-456C-90FF-29A99476190D}:54920011 X-RequestId: {A69DCEC7-9688-4953-A63C-CB091F138B6B}:2 X-RequestType: Bind Content-Length: 45 Host: outlook.office365.com
The reason seems to be that the Microsoft certificate contains SANS for the following:
HTTP/1.0 200 Connection established
Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.
Would it be possible to use makecert on the workstation to generate this certificate and replace the default one that Fiddler generated?
Thanks,
Michael Minter
Eric
Posted on:12 Jul 2018 05:00
This is a great bug-- valid, relatively easy to fix, and without a good workaround. See https://groups.google.com/forum/#!topic/httpfiddler/I5TQosfeFow for discussion.