Hello,
I work on an application that legitimately utilizes SSL/TLS Man In The Middle (MITM) in order to inspect secure traffic
with user consent. Basically we install our Root CA into the Windows System store (again, per the users request) then MITM traffic via a WFP driver/service.
This works for applications such as Internet Explorer (including IE when in Windows Store / "Metro" mode). However, when using WinJS/HTML applications (e.g. applications hosted by WWAHost.exe) it appears that our root CA may be being ignored. During
the handshake, after we send back the MITM'd server certificate, clients hang up. Browsing to the same URL the client is attempting to use with our MITM enabled in a browser works.
From what I have read, by default these applications should be validating CA's down to the system root store with the alternative being to use the
Certificates Extension (embed CA/trust in the manifest). I have inspected the .xml manifests of some of the applications in question and do not see this extension being
used, nor do I see any explicit "pinning" being used.
Any information regarding this is highly appreciated!