Certificate validation

Advertisement

Wendo
Joined:
Posts:
3

Certificate validation

Hi

While I understand WinSCP uses the Windows Certificate Store to validate certificates for connections, it appears it does not use it when checking for updates.

We have SSL interception on and when checking for updates I see a certificate chain error and it fails to check for updates. The RootCA certificate is in the Windows certificate store as a Trusted CA nd works for everything else.

I've found other posts discussing that WinSCP does use the Windows Certificate Store for S3 connections etc (not that I've tried that) but I'm guessing the update lookup is just missing that piece of validation code.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,469
Location:
Prague, Czechia

Re: Certificate validation

All HTTPS connections (updates, S3, WebDAV) use the same mechanism for verifying the certificates. So all use Windows certificate store, via CertVerifyCertificateChainPolicy.
Can you post the exact error message you are getting?

Reply with quote

Wendo
Joined:
Posts:
3

I'm seeing this when SSL Decryption is enabled
Certificate not trusted.
Error: 800B0109, Chain index: 0, Element index: -1
Server certificate verification failed: issuer is not trusted
Excluding winscp.net from SSL Decryption makes checking for updates work normally. Our RootCA cert is installed in the machine cert store under Trusted Root Certification Authorities and working fine for everything else

Reply with quote

Wendo
Joined:
Posts:
3

Git for Windows with the
git config --global http.sslBackend schannel
command run works fine.

As does Python with the pip-system-certs extension loaded.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,469
Location:
Prague, Czechia

I did check Git source code (or actually Curl code, as that's what Git uses for HTTP[S]) and the code seems pretty much the same as what WinSCP is doing.

Do you think it's possible for me to somehow configure my Windows to behave like yours? Do you know what exactly causes WinSCP to fail the certificate validation?

Reply with quote

Advertisement

You can post new topics in this forum