Topic "Powershell unable to get TlsHostCertificateFingerprint in correct format"

Author Message
samellinger
[View user's profile]

Joined: 2016-01-21
Posts: 5
I'm working to automate a csv upload to a external service that we subscribe to. I'm running into an issue with the Tls host certificate. Here's the code snippet and what I've tried

$HostKey = "ssh-rsa 2048 78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68"

New-WinSCPSession ED -credential $Username -ftpMode Active -FtpSecure ExplicitTls -HostName $FTPHost -PortNumber $Port -Protocol $Protocol -TlsHostCertificateFingerprint $HostKey -SessionLogPath $WinSCPLog

When I run that I receive

New-WinSCPSession : Exception setting "TlsHostCertificateFingerprint": "TLS host certificate fingerprint "ssh-rsa 2048 78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78" does not
match pattern /([0-9a-f]{2}Smile{19}[0-9a-f]{2}(;([0-9a-f]{2}Smile{19}[0-9a-f]{2})*/"


It appears that the key is matching the correct pattern but ssh-rsa 2048 does not. Ok, so I changed the variable to
$HostKey = "78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68" and received the following result.

New-WinSCPSession : Exception setting "SshHostKeyFingerprint": "SSH host key fingerprint "DiscoveryED" does not match pattern /((ssh-rsa|ssh-dss)( |-))?(\d+
)?([0-9a-f]{2}(Neutral-)){15}[0-9a-f]{2}(;((ssh-rsa|ssh-dss)( |-))?(\d+ )?([0-9a-f]{2}(Neutral-)){15}[0-9a-f]{2})*/"


I then tried shortening the key length as specified in that regex to "ssh-rsa 2048 78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68". However, I received the following error again

New-WinSCPSession : Exception setting "TlsHostCertificateFingerprint": "TLS host certificate fingerprint "ssh-rsa 2048 78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68" does not match
pattern /([0-9a-f]{2}Smile{19}[0-9a-f]{2}(;([0-9a-f]{2}Smile{19}[0-9a-f]{2})*/"



Can someone help me understand where I am going wrong in formatting this fingerprint?
Advertisements
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
The TLS certificate fingerprint cannot start with "ssh-rsa". That's obviously an SSH host key fingerprint. Where did you get it? Do you want to use FTP over TLS or SFTP over SSH?
samellinger
[View user's profile]

Joined: 2016-01-21
Posts: 5
I got that key from Session>Server and protocol information. Here's the output from that.

Remote system = UNIX Type: L8
File transfer protocol = FTP
Cryptographic protocol = TLS/SSL Explicit encryption, TLSv1.2
Encryption algorithm = TLSv1/SSLv3: AES256-GCM-SHA384, 2048 bit RSA
Compression = No
------------------------------------------------------------
Certificate fingerprint
78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78

That's why I was a bit confused, I'm trying to use FTP over TLS not SFTP over SSH.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
So use 78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78 as is for TlsHostCertificateFingerprint, and do to try to add some irrelevant prefix.
samellinger
[View user's profile]

Joined: 2016-01-21
Posts: 5
After reading the error messages a bit deeper I realized that it is accepting the TlsHostCertificateFingerprint in its current format, but complaining about not having SshHostKeyFingerprint. It appears that no matter what I do, even though the protocol is set to FTP and FTPSecure is set to ExplicitTLS it still expects SshHostKeyFingerprint no matter what. I'm not sure if that is an error with the commandlets but I'm unable to complete the command without it expecting SSH information for my FTPS connection.

Instead of using the Powershell wrapper I resorted to using the .Net assembly which is completing my connection successfully.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
Can you show us your corrected code that suffers the problem nevertheless?
samellinger
[View user's profile]

Joined: 2016-01-21
Posts: 5
prikryl wrote:
Can you show us your corrected code that suffers the problem nevertheless?


Sure, here is the code that is working correctly:

$sessionOptions = New-Object WinSCP.SessionOptions
$sessionOptions.Protocol = [WinSCP.Protocol]::ftp
$sessionOptions.HostName = "host.com"
$sessionOptions.UserName = "Username"
$sessionOptions.Password = 'Password'
$sessionOptions.TlsHostCertificateFingerprint = "78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78"
$sessionOptions.FtpSecure = [WinSCP.FtpSecure]::Explicit
$session = New-Object WinSCP.Session

Here is the powershell commandlet that did not work:

$FTPHost = "host.com"
$Port = "21"
$Protocol = "FTP"
$Username = "Username"
$Password = convertto-securestring -string 'Password' -AsPlainText -Force
$credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
$HostKey = "78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78"


New-WinSCPSession DSession -credential $Credential -ftpMode Active -FtpSecure ExplicitTls -HostName $FTPHost -PortNumber $Port -Protocol $Protocol -TlsHostCertificateFingerprint $HostKey
dotps1
[View user's profile]
Contributor
Joined: 2015-03-23
Posts: 15
Location: United States
samellinger wrote:
prikryl wrote:
Can you show us your corrected code that suffers the problem nevertheless?


Sure, here is the code that is working correctly:

$sessionOptions = New-Object WinSCP.SessionOptions
$sessionOptions.Protocol = [WinSCP.Protocol]::ftp
$sessionOptions.HostName = "host.com"
$sessionOptions.UserName = "Username"
$sessionOptions.Password = 'Password'
$sessionOptions.TlsHostCertificateFingerprint = "78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78"
$sessionOptions.FtpSecure = [WinSCP.FtpSecure]::Explicit
$session = New-Object WinSCP.Session

Here is the powershell commandlet that did not work:

$FTPHost = "host.com"
$Port = "21"
$Protocol = "FTP"
$Username = "Username"
$Password = convertto-securestring -string 'Password' -AsPlainText -Force
$credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
$HostKey = "78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78"


New-WinSCPSession DSession -credential $Credential -ftpMode Active -FtpSecure ExplicitTls -HostName $FTPHost -PortNumber $Port -Protocol $Protocol -TlsHostCertificateFingerprint $HostKey


Please move this to GitHub, this is not an issue with WinSCP Directly, but possibly and issue with the WinSCP PowerShell Module. You can find it here: https://github.com/dotps1/WinSCP/issues.

But at first glance, what is 'DSession'? There are no position supported params in the New-WinSCPSession cmdlet, everything is by name only (as it is with anything I write, I don't like unnamed params). So 'DSession' i have a feeling is throwing everything off, it basically doesn't now what that value is for.

*Edit*
I also see in your first post you have
Code:

New-WinSCPSession ED -.........

again, not sure what 'ED' is, but this make me even more sure about the issue being a typo.

hope that helps.
*End Edit*
samellinger
[View user's profile]

Joined: 2016-01-21
Posts: 5
dotps1 wrote:
samellinger wrote:
prikryl wrote:
Can you show us your corrected code that suffers the problem nevertheless?


Sure, here is the code that is working correctly:

$sessionOptions = New-Object WinSCP.SessionOptions
$sessionOptions.Protocol = [WinSCP.Protocol]::ftp
$sessionOptions.HostName = "host.com"
$sessionOptions.UserName = "Username"
$sessionOptions.Password = 'Password'
$sessionOptions.TlsHostCertificateFingerprint = "78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78"
$sessionOptions.FtpSecure = [WinSCP.FtpSecure]::Explicit
$session = New-Object WinSCP.Session

Here is the powershell commandlet that did not work:

$FTPHost = "host.com"
$Port = "21"
$Protocol = "FTP"
$Username = "Username"
$Password = convertto-securestring -string 'Password' -AsPlainText -Force
$credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
$HostKey = "78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78"


New-WinSCPSession DSession -credential $Credential -ftpMode Active -FtpSecure ExplicitTls -HostName $FTPHost -PortNumber $Port -Protocol $Protocol -TlsHostCertificateFingerprint $HostKey


Please move this to GitHub, this is not an issue with WinSCP Directly, but possibly and issue with the WinSCP PowerShell Module. You can find it here: https://github.com/dotps1/WinSCP/issues.

But at first glance, what is 'DSession'? There are no position supported params in the New-WinSCPSession cmdlet, everything is by name only (as it is with anything I write, I don't like unnamed params). So 'DSession' i have a feeling is throwing everything off, it basically doesn't now what that value is for.

*Edit*
I also see in your first post you have
Code:

New-WinSCPSession ED -.........

again, not sure what 'ED' is, but this make me even more sure about the issue being a typo.

hope that helps.
*End Edit*


Sorry for the confusion with different names, that's what I get for trying to sanitize code at different times.

You are correct though, I had a value for the name of session, but looking back there is no name included in New-WinSCPSession. I thought that was part of one of the examples but looking over the examples and syntax there is not. Removing that name corrects the issue I was having with the command.
dotps1
[View user's profile]
Contributor
Joined: 2015-03-23
Posts: 15
Location: United States
no worries, happy to help!
_________________
https://github.com/dotps1
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License