Last Updated: 03 Dec 2022 04:14 by Eric
Created on: 29 Nov 2022 19:57
Type: Bug Report
Fiddler HOSTS tool fails to correctly override cert behavior

As noted in the Fiddler book,

Sessions rerouted from one hostname to another using the Host Remapping tool are rendered with a light blue background in the Web Sessions list. HTTPS Sessions that have been rerouted have the X-IgnoreCertCNMismatch and X-OverrideCertCN Session Flags set to avoid raising “Certificate Name Mismatch” errors.

However, there's a bug. In the HostsFile.cs code, there's are several places that look like:

            if (oS.isTunnel) {

                oS["x-overrideCertCN"] = oS.hostname;
                oS["X-IgnoreCertCNMismatch"] = "HOSTS-Ext";

This usually works for browser traffic going through Fiddler (because the HTTPS handshake is typically conducted on the CONNECT tunnel). However, it doesn't work (and the user is spammed with cert error warnings) if the traffic is sent from Fiddler itself (e.g. via Composer or using the "Reissue requests" context menu item). 

The code should look like this:

            if (oS.isHTTPS || oS.isTunnel) {

                oS["x-overrideCertCN"] = oS.hostname;
                oS["X-IgnoreCertCNMismatch"] = "HOSTS-Ext";


Posted on: 03 Dec 2022 04:14
Fix looks good to me, thanks for the fast turnaround!
Stoyan Stratev
Posted on: 30 Nov 2022 12:55

Hi Eric,

Thanks for the report! We will log this and fix it in a future Fiddler Classic release. For now, I have compiled a new build of the Filter extension with the changes if you wish to test it in the current release (extract the attached files in %localappdata%\Programs\Fiddler\Scripts).

Attached Files: