Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: Server's host key does not match the one WINSCP has in cache (randomly)

biegelboy wrote:

After upgrading WinSCP to the most current version, we started to see [The server's host key does not match the one WinSCP has in cache.] We ( 4 ) external connections and all ( 4 ) connections at times reported this WARNING. Again it's not happening all the time, its randomly happen and it started after the upgrade. So, we downgraded WinSCP, but that didn't fix the issue.

Please post session log files both from failed connection and successful connection using the same settings.
biegelboy

Server's host key does not match the one WINSCP has in cache (randomly)

After upgrading WinSCP to the most current version, we started to see [The server's host key does not match the one WinSCP has in cache.] We ( 4 ) external connections and all ( 4 ) connections at times reported this WARNING. Again it's not happening all the time, its randomly happen and it started after the upgrade. So, we downgraded WinSCP, but that didn't fix the issue.

This warning is playing havoc with my automation scripts to connect.

Please HELP!
martin

Re: Host certificate

JakobAagesen wrote:

I basically want to be able to do the same thing that the client does when it generates or retrieves the certificate. How does the client get the certificate?

What are you trying to achieve? Do you understand that you should get the certificate (its fingerprint) using a separate reliable channel? Not automatically! Even getting it from the WinSCP GUI is not the best way.
See https://winscp.net/eng/docs/faq_hostkey
It's about SSH host keys, but it applies to self-signed TLS certificates too.
Unless you want to implement something like this:
https://winscp.net/eng/docs/library_example_known_hosts
https://winscp.net/eng/docs/library_session_scanfingerprint
JakobAagesen

Host certificate

Hi Support
I am using the WinSCP API to connect to a FileZilla FTP server.
The server has been set up with the following configuration:
Enabled FTP over TLS
Disabled unencrypted FTP
Disabled explicit FTP
So basically I only allow implicit FTP.

Using the WinSCP client i can connect by configuring the following settings:
File protocol: FTP
Encryption: TLS/SSL Implicit encryption
Host name: <server IP address>
Port number: 990 (default set)
Rest of it, is as default.

Using WinSCP API i can connet using the following settings:
Protocol: Ftp
FtpMode: Passive
FtpSecure: Implicit
HostName: <server IP address>
GiveUpSecurityAndAcceptAnyTlsHostCertificate: false
SshHostKeyFingerprint: null
TlsHostCertificateFingerprint: <certificate fingerprint>
Rest of it, is as default.

I got the TlsHostCertificateFingerprint from a WinSCP client session to the FTP server.
My question is, how do i get a certificate fingerprint if i don't use the WinSCP client. I basically want to be able to do the same thing that the client does when it generates or retrieves the certificate. How does the client get the certificate?