Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: same Error even with later version

@gireesh: Do you mean that versions before 5.9.3 work for you and later versions do not?
A session log file is always useful.
gireesh

same Error even with later version

Hi, I am still experiencing same issue with 5.16.4 rc. please let me know if you need details such as logs etc.
Thanks Gireesh
martin

Thanks for testing! I do not need any more tests.
Makc666

Martin,

the one you sent me works well (v5.10 Dev Build 7191 2016-12-16).
I tested withOUT -passphrase and -passphrase=pass.

Do you need some other tests from me to do with this case?

Thanks!
martin

I'm sending you an email with a development version of WinSCP to the address you have used to register on this forum.
Makc666

Martin, here is the archive with the certificates and scripts to test.
One certificate with NO password.
Second certificate with password. Password it "test" - also it is listed in .txt file inside archive.

Put proper version of
WinSCP.com

WinSCP.exe

to folders:
WinSCP v5.9.1

WinSCP v5.9.3

One more comment.

When you try to use that .PFX file with NO password in WinSCP.exe v5.9.3 you will get a windows with "Client certificate passphrase" request (attached).
If you do the same in WinSCP.exe v5.9.1 there will be no problems.
martin

Can you provide me a sample certificate for testing?
Makc666

Martin, you need any more information from me to look into this one?
Makc666

Here are two logs.
One from WinSCP 5.9.1 and other from WinSCP 5.9.3.
The only difference is WinSCP version.
No other changes.

Note at lines:

WinSCP_v5-9-1_Good.txt
. 2016-12-08 15:05:30.507 User name: USERNAME (Password: Yes, Key file: No)
...
no such line
...
. 2016-12-08 15:05:31.904 Server asks for authentication with a client certificate.
. 2016-12-08 15:05:32.402 Verifying certificate for "Cert_CA_NAME" with fingerprint 11:22:33:11:22:33:11:22:33:11:22:33:11:22:33:11:22:33:11:22 and 19 failures
* 2016-12-08 15:05:32.403 WARNING! Giving up security and accepting any certificate as configured!
. 2016-12-08 15:05:32.403 Using TLSv1.2, cipher TLSv1/SSLv3: AES128-SHA, 2048 bit RSA, AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
. 2016-12-08 15:05:32.403 TLS connection established. Waiting for welcome message...


WinSCP_v5-9-3_Bad.txt
. 2016-12-08 14:54:43.010 User name: USERNAME (Password: Yes, Key file: No, Passphrase: No)
...
. 2016-12-08 14:54:53.013 Certificate is encrypted, need passphrase
...
. 2016-12-08 14:55:04.381 Server asks for authentication with a client certificate.
. 2016-12-08 14:55:04.744 Disconnected from server
Makc666

WinSCP 5.9.3 broke .pfx or .p12 files without passphrase / Certificate is encrypted, need passphrase

P.S. Martin created https://winscp.net/tracker/1490

No problems with WinSCP 5.9.1.
After upgrading to WinSCP 5.9.3 the problem appeared.
Rolling back to WinSCP 5.9.1 solves the problem.

I have a pkcs12 file which has private key and certificate with chain certificates in it.
It was created using the command:
openssl pkcs12 -export -inkey <private_key_file>.key -in <you_cert_file_with_chain>.pem -out certificate_client_nopass.pkcs12.pfx -name <some_friendly_name_here>

While executing this command NO password was entered.
So I have certificate_client_nopass.pkcs12.pfx file which is not encrypted with the password.

I start like:
winscp.com /ini=nul /script="FTPS_Script.txt"

FTPS_Script.txt has something like:
open ftpes://user:pass@ip:port/ -passive=on -explicit -certificate="*" -clientcert="certificate_client_nopass.pkcs12.pfx" -rawsettings CacheDirectories=0 CacheDirectoryChanges=0 FtpForcePasvIp2=0 FtpPingInterval=10 FtpListAll=1 SslSessionReuse=0 MinTlsVersion=12 -timeout=999

It is working perfect in WinSCP 5.9.1.

After upgrading to WinSCP 5.9.3 it doesn't work any more.

WinSCP begins to write message in LOG file:
. 2016-12-08 14:54:43.011 Certificate is encrypted, need passphrase

I will attach two logs file in next message.

<you_cert_file_with_chain>.pem file looks like:
subject=/L=Moscow/ST=Moscow/C=RU/O=Maxim/OU=Test/CN=test.com

issuer=/C=US/O=COMPANE/OU=Service Association/CN=External CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=COMPANE/OU=Service Association/CN=External CA
issuer=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
issuer=/C=US/O=COMPANE/OU=Service Association/CN=Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----