Forum » Support and Bug Reports »

Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

Obee

Re: Not understanding certificate failures

Thank you! No problem, just wanted to understand that. Go on alert when I see failures in the logs.
martin

Re: Not understanding certificate failures

That is a result of certificate check in OpenSSL library. Unless you have a local OpenSSL certificate storage that can validate the certificate, you will always see that. Why do you want to eliminate it? What is the problem?
Obee

Re: Not understanding certificate failures

Thanks, I do understand that. It's the part at the end of that same line in the log "and 20 failures" that I do not understand. What is failing before the success? Can the failures be eliminated? I have tried moving the order of the cipher suites around but it doesn't change the message.
martin

Re: Not understanding certificate failures

There's no failure, the certificate was successfully verified: 
. 2023-10-04 10:39:07.031 Certificate verified against Windows certificate store
Obee

Re: Not understanding certificate failures

Done. File uploaded as attachment, is private.
martin

Re: Not understanding certificate failures

Please remove the certificate from the WinSCP cache and post complete session log file.
Obee

Re: Not understanding certificate failures

Unfortunately firewall rules prevent me from testing anywhere except from the one allowed source to the one allowed destination.
martin

Re: Not understanding certificate failures

Did you test the connection on a standard Windows installation (not corporate-managed one?)
Obee

Not understanding certificate failures

Using WinSCP 5.19.6 (cannot upgrade version because another unit "owns" the application)
Trying to connect to a remote server using 
ftpes:// -rawsettings MinTLSVersion=12 MaxTLSVersion=13

Certificate is from our agency's PKI, it is installed in the Windows store on the remove server and should be fully trusted
Certificate gives its thumbprint as SHA1. WinSCP log gives it as SHA256. Have confirmed the two match.
Part of debug log: 
< 2023-09-26 13:55:48.579 234 AUTH command ok. Expecting TLS Negotiation.
. 2023-09-26 13:55:48.579 No data to read
. 2023-09-26 13:55:48.594 TLS connect: SSLv3/TLS write client hello
. 2023-09-26 13:55:48.594 TLS connect: SSLv3/TLS read server hello
. 2023-09-26 13:55:48.594 TLS connect: SSLv3/TLS read server certificate
. 2023-09-26 13:55:48.594 TLS connect: SSLv3/TLS read server key exchange
. 2023-09-26 13:55:48.594 TLS connect: SSLv3/TLS read server done
. 2023-09-26 13:55:48.610 TLS connect: SSLv3/TLS write client key exchange
. 2023-09-26 13:55:48.610 TLS connect: SSLv3/TLS write change cipher spec
. 2023-09-26 13:55:48.610 TLS connect: SSLv3/TLS write finished
. 2023-09-26 13:55:48.610 TLS connect: SSLv3/TLS write finished
. 2023-09-26 13:55:48.610 TLS connect: SSLv3/TLS read change cipher spec
. 2023-09-26 13:55:48.610 TLS connect: SSLv3/TLS read finished
. 2023-09-26 13:55:48.610 Verifying certificate for "agency name" with fingerprint xxx and 20 failures
. 2023-09-26 13:55:48.610 Certificate for "agency name" matches cached fingerprint and failures
. 2023-09-26 13:55:48.610 Using TLSv1.2, cipher TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
< 2023-09-26 13:55:48.610 Script: TLS connection established. Waiting for welcome message...
. 2023-09-26 13:55:48.610 TLS connection established. Waiting for welcome message...

QUESTION: How do I find out what is causing the failures? The certificate is valid, unsure why we're getting failures.

Documentation

Support

Associations

Follow Us