Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

I did check Git source code (or actually Curl code, as that's what Git uses for HTTP[S]) and the code seems pretty much the same as what WinSCP is doing.

Do you think it's possible for me to somehow configure my Windows to behave like yours? Do you know what exactly causes WinSCP to fail the certificate validation?
martin

Thanks. I'll look into it.
Wendo

Git for Windows with the
git config --global http.sslBackend schannel

command run works fine.

As does Python with the pip-system-certs extension loaded.
martin

Does "everything else" include another open source software, that I can check?
Wendo

I'm seeing this when SSL Decryption is enabled
Certificate not trusted.
Error: 800B0109, Chain index: 0, Element index: -1
Server certificate verification failed: issuer is not trusted

Excluding winscp.net from SSL Decryption makes checking for updates work normally. Our RootCA cert is installed in the machine cert store under Trusted Root Certification Authorities and working fine for everything else
martin

Re: Certificate validation

All HTTPS connections (updates, S3, WebDAV) use the same mechanism for verifying the certificates. So all use Windows certificate store, via CertVerifyCertificateChainPolicy.
Can you post the exact error message you are getting?
Wendo

Certificate validation

Hi

While I understand WinSCP uses the Windows Certificate Store to validate certificates for connections, it appears it does not use it when checking for updates.

We have SSL interception on and when checking for updates I see a certificate chain error and it fails to check for updates. The RootCA certificate is in the Windows certificate store as a Trusted CA nd works for everything else.

I've found other posts discussing that WinSCP does use the Windows Certificate Store for S3 connections etc (not that I've tried that) but I'm guessing the update lookup is just missing that piece of validation code.