Fiddler and 2 way pinned certificates



  • Not completely certain if it's better to post here or security, so, trying here first.

    I'm currently attempting to test a new feature in a desktop application that uses 2 way pinning for https traffic. If the client certificate (built into the application) is not one that's expected, the server will return an error.

    Normally, running something like Fiddler would be fine, but, because of the fact that the Fiddler uses it's own, we can not see the traffic coming back.

    Is there a way in Fiddler to import a certificate that I haven't managed to find yet, or, is there another way to inspect this traffic?



  • If you haven't already looked into it you can register client certificates as mentioned http://docs.telerik.com/fiddler/configure-fiddler/tasks/RespondWithClientCert

    You can also utilize Soapui to send communications with certificates, but that's just services...not sure if this is a service or part of the webapp...sounds like it's coded in the app.

    If all else fails you can utilize wireshark to pull all the traffic out and from there try to filter for the specific traffic you are looking for and see that it is communicating as expected.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2