How to verify a certificate in fiddler core?

StackOverflow https://stackoverflow.com/questions/17710832

  •  03-06-2022
  •  | 
  •  

Question

I want to verify the certificate issued by the server to be valid and alert the user to choose if it cannot be verified. Presently it seems all certificates are accepted by fiddler without alerting the user. Is there a mechanism to do it? perhaps in the following code as found in fiddler core sample project. I want to alert user for Self-signed certificates with an untrusted root.

 static void CheckCert(object sender, ValidateServerCertificateEventArgs e)
    {
        if (null != e.ServerCertificate)
        {
            Console.WriteLine("Certificate for " + e.ExpectedCN + " was for site " + e.ServerCertificate.Subject + " and errors were " + e.CertificatePolicyErrors.ToString());


            if (e.ServerCertificate.Subject.Contains("fiddler2.com"))
            {
                Console.WriteLine("Got a certificate for fiddler2.com. We'll say this is also good for any other site, like https://fiddlertool.com.");
                e.ValidityState = CertificateValidity.ForceValid;
            }
        }
    }
Was it helpful?

Solution

By default, FiddlerCore will validate that the remote certificate is part of a trusted chain unless you set Fiddler.CONFIG.IgnoreServerCertErrors = true;

However, that means that a self-signed certificate would get rejected by FiddlerCore, and since FiddlerCore doesn't show UI to allow the user to override, that's a problem.

The way to fix this is to use implement the certificate validation event handler: FiddlerApplication.OnValidateServerCertificate += new System.EventHandler<ValidateServerCertificateEventArgs>(CheckCert);

Inside the handler, you'd do something like this:

 private void CheckCert(object sender, ValidateServerCertificateEventArgs e)
 {
  if (SslPolicyErrors.None == e.CertificatePolicyErrors)
  {
     return;
  }

  DialogResult oResult = MessageBox.Show("Accept invalid certificate\nYOUR DETAILS HERE", "Certificate Warning", MessageBoxButtons.YesNo, MessageBoxIcon.Question, MessageBoxDefaultButton.Button2));

 if (DialogResult.Yes == oResult) 
 {
   e.ValidityState = CertificateValidity.ForceValid;
 }
 else
 {  
   e.ValidityState = CertificateValidity.ForceInvalid;
 }

You'd typically also want to cache the user's choice to avoid prompting them on every connection.

See http://fiddler2.com/blog/blog/2013/01/03/evaluating-certificates-in-fiddler-and-fiddlercore for much more detail, including a full example.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top