Forum » Support and Bug Reports »

Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: Incessant certificate warnings

@Pointyears: Thanks for coming back to me. I've sent you an email.
Pointyears

Re: Incessant certificate warnings

Does getting that version apply to me, also, the thread starter?

Thanks
Ruddy

Re: Incessant certificate warnings

We started facing this same issue after the AWS Outage early October, and haven't been able to find a solution to it.. unfortunately, I can't "force" to connect to the same server everytime (that's the reason for using balancers, right?) so actually, I haven't yet find any solution to this problem... would be awesome if someone can advice on how to bypass/overcome the problem, to avoid further disruption on systems... tried to connect to AWS and report the problem but, haven't been able to connect with someone...
martin

Re: Incessant certificate warnings

While it's indeed a wildcard certificate, every certificate for every connection WinSCP has made seems to have a different fingerprint.
Pointyears

Re: Incessant certificate warnings

To be more thorough, I tried S3 Browser portable on both my Windows 11 laptop, and the Citrix server with no certificate issues whatsoever (SSL is forced in both the client app, and the S3 policy we have precludes port 80 non-ssl connections).
Pointyears

Re: Incessant certificate warnings

Thanks, Martin. You've managed to confuse me more. I thought since it's a wildcard cert that's presented by AWS (*.s3-us-gov-west-1.amazonaws.com) to WinSCP with the same fingerprint that's both in that alert and in the winscp.ini that while it might be a different load balancer that WinSCP is talking through, the certificate is the same.
Thanks.
martin

Re: Incessant certificate warnings

I do not think it's not possible to "accept that condition".
The problem is that your server (AWS) is load balanced. So you are actually connecting to a different server with different certificate every time. So everytime WinSCP prompts you, it prompts for a different certificate.
Pointyears

Re: Incessant certificate warnings

But it seems to me that the inability to accept that condition by selecting "Yes" to store the cert is a separate issue, no?
martin

Re: Incessant certificate warnings

The verification fails due to:
The revocation function was unable to check revocation because the revocation server was offline

It seems like some temporary network outage or lag.
Pointyears

Re: Incessant certificate warnings

Enclosed. Thanks.
martin

Re: Incessant certificate warnings

Please attach a full session log file (sorry, I should have asked for that before already).
Pointyears

Re: Incessant certificate warnings

See enclosure please, Martin. Clicking "Yes" allows the file copy to go on for a random interval measured in seconds and then the alert presents itself again. Saying "Yes" does nothing...repeatedly; it's never added to the cert store or anywhere, but the fingerprint is added to the winscp.ini. It's hard to say when this problem started as we had a seasonal lull in which we weren't using S3.
Thanks for your attention to this.
martin

Re: Incessant certificate warnings

Please post an exact and complete message that you are getting.
Pointyears

Incessant certificate warnings

We use WinSCP Portable (of varying versions) to connect to an AWS GovCloud S3 bucket via DoD devices. Initial connection goes fine, but after a variable number of operations (usually file copies) an alert appears for an untrusted connection. The certificate issuer is DHA (Defense Health) which means it's part of DHA's "man in the middle" packet inspection. The problem is selecting "yes" to continue and store the certificate does nothing other than putting the fingerprint in the winscp.ini file. There's just an endless series of those alerts in no discernable pattern which essentially makes WinSCP useless for us.

I've dug around the net and I haven't found anything that applies to bypass that warning using the GUI (vs .NET code). -certificate * looked promising in the .ini (to be narrowed down if that worked), but made no difference, nor did I find anything applicable or germane in the Raw Settings for that session.
Any way out of this? This has put us at a bit of a standstill. Thanks!

I ran the log in debug and below is all that it had re certificates. 
. 2025-06-13 16:05:58.130 Doing SSL negotiation.
. 2025-06-13 16:05:58.280 ssl: Verify callback @ 2 => 20
. 2025-06-13 16:05:58.280 ssl: Verify failures |= 8 => 8
. 2025-06-13 16:05:58.295 Chain depth: 3
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 Identity match for '': bad
. 2025-06-13 16:05:58.295 ssl: Match common name '*.s3-us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name 's3-us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name '*.s3.us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 ssl: Match common name 's3.us-gov-west-1.amazonaws.com' against 's3.us-gov-west-1.amazonaws.com'
. 2025-06-13 16:05:58.295 Identity match for 's3.us-gov-west-1.amazonaws.com': good
. 2025-06-13 16:05:58.295 Verifying certificate for "*.s3-us-gov-west-1.amazonaws.com" with fingerprint 4e:80:b7:a9:31:3f:4d:55:ee:7e:fb:f8:85:a6:e0:e7:09:a5:9c:2f:26:ed:c7:2f:c7:54:8d:c6:8d:ff:e7:7b and 08 failures
. 2025-06-13 16:05:58.418 Certificate verified against Windows certificate store

Documentation

Support

Associations

Follow Us