Fiddler Ideas

The free web debugging proxy for any browser, system or platform.

If user requests HTTPS decryption but Fiddler intercept fails then don't allow the transfer

I recently tried to change the cert generator of Fiddler on a machine where there must have been some access control policy or something because I couldn't add a root certificate to the trusted root store and Fiddler couldn't create certificates. In Fiddler I saw this:

17:29:23:8243 DefaultCertMaker: GetRootCertificate() did not find the root in the Windows TrustStore.
17:29:23:8273 DefaultCertMaker: GetRootCertificate() did not find the root in the Windows TrustStore.
17:29:23:8293 /Fiddler.CertMaker> Invoking CertEnroll for Subject: CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by; Thread's ApartmentState: MTA
17:29:24:0083 !ERROR: Failed to generate Certificate using CertEnroll. System.Reflection.TargetInvocationException Exception has been thrown by the target of an invocation. < CertEnroll::CX509CertificateRequestCertificate::Encode: An internal error occurred. 0x80090020 (-2146893792)

The blame is very likely on my end but Fiddler's behavior I think was troubling because it allowed HTTPS connections to continue without decrypting or intercepting the contents even though 'Decrypt HTTPS traffic' was checked. If the user has specified traffic interception but Fiddler is unable to do it then I think the connection should be stopped before the transfer can start.

Also the error message box kept popping under my windows instead of on top which was annoying. A screenshot of it is attached. I installed the Bouncy Castle alt certmaker (fiddlercertmaker 20170915.exe) and either that or something else I did (?) worked because Fiddler is working now.

v5.0.20181.14850 for .NET 4.6.1
Built: Tuesday, March 20, 2018

  • Guest
  • Apr 21 2018
  • Under review
  • Attach files
  • Guest commented
    23 Apr, 2018 08:30pm

    Thanks Eric I will investigate. The rest of you guys take the test comments to your testing thread FID-I-333 and stop f--king up my issue.

  • msat linux commented
    23 Apr, 2018 08:55am


  • msat linux commented
    23 Apr, 2018 08:55am


  • Guest commented
    23 Apr, 2018 06:32am


  • msat linux commented
    23 Apr, 2018 06:24am


  • msat linux commented
    23 Apr, 2018 06:23am


  • Eric Lawrence commented
    23 Apr, 2018 02:07am

    That you describe automatic fallback as "troubling" implies that you may be using Fiddler for a scenario for which it is not designed. In general, Fiddler is designed to avoid interfering with Web Traffic as a P0 goal.

    Telerik might consider adding a preference for this (blocking fallback to a blind tunnel if certificate generation fails) or you could likely mimic such a block with a FiddlerScript rule.