WinSCP will not accept certificate in batch mode
I am running WinSCP 4.4.0 on Windows Vista. I'm running in batch mode using FTPS (FTP with TLS Explicit encryption and passive mode). My saved session works perfectly using the GUI interface. I have accepted the server certificate, and no longer get prompted.
However, when I export my session to a .ini file and run in batch mode (with "option batch off" to allow the cert to be accepted), it does not allow me to accept the cert. Oddly, the cert warning message comes up twice, and the command line session hangs after I hit "Y" to accept the cert. My "Y" keystroke seems to have been read, as I get "Yes" echoed back on the second prompt. Not sure why this is happening, as accepting the cert on the command line used to work fine (with no double prompt). Note that if I open the connection and specify the -certificate switch with the certificate fingerprint, it works fine in batch mode.
Here is my command invokation:
"C:\Program Files\WinSCP\winscp" /script=test_transfer.txt /ini=WinSCP.ini /log=winscp.log
Here is the script file (test_transfer.txt):
option batch off
option confirm off
open jbtestTLS-ftp.dir.gov.bc.ca
put somedata.txt
close
exit
Here is the output of the command line console:
H:\WinSCP_testing>"C:\Program Files\WinSCP\winscp" /script=test_transfer.txt /in
i=WinSCP.ini /log=winscp.log
batch off
confirm off
Prompting for credentials...
Password:
Connecting to ftp.dir.gov.bc.ca ...
Connected with ftp.dir.gov.bc.ca, negotiating SSL connection...
The server's certificate is not known. You have no guarantee that the server is
the computer you think it is. Server's certificate details follow:
Issuer:
- Organization: Entrust, Inc., (c) 2009 Entrust, Inc., Entrust Certification Aut
hority - L1C
- Location: US
Subject:
- Organization: Government of the Province of British Columbia, ftp.dir.gov.bc.c
a
- Location: CA, British Columbia, Victoria
Valid: 2013-04-10 9:20:49 PM - 2014-05-01 12:20:55 AM
Fingerprint (SHA1): 2d:76:df:6e:cc:05:f5:cb:7e:42:82:69:99:5a:7c:75:44:75:e8:04
Summary: Unable to get local issuer certificate. The error occured at a depth of
1 in the certificate chain.
If you trust this certificate, press Yes. To connect without storing certificate
, press No. To abandon the connection press Cancel.
Continue connecting and store the certificate?
(Y)es, (N)o, C(a)ncel, (C)opy Key:
(Y)es, (N)o, C(a)ncel, (C)opy Key: Yes
Here is the output of the winscp.log file:
. 2013-05-29 12:02:45.853 --------------------------------------------------------------------------
. 2013-05-29 12:02:45.861 WinSCP Version 4.4.0 (Build 1904) (OS 6.0.6002 Service Pack 2)
. 2013-05-29 12:02:45.875 Configuration: H:\WinSCP_testing\WinSCP.ini
. 2013-05-29 12:02:45.883 Local account: IDIR\jborrows
. 2013-05-29 12:02:45.892 Login time: Wednesday, May 29, 2013 12:02:45 PM
. 2013-05-29 12:02:45.900 --------------------------------------------------------------------------
. 2013-05-29 12:02:45.908 Session name: jbtestTLS-ftp.dir.gov.bc.ca (Stored session)
. 2013-05-29 12:02:45.916 Host name: ftp.dir.gov.bc.ca (Port: 21)
. 2013-05-29 12:02:45.924 User name: jborrows (Password: No, Key file: No)
. 2013-05-29 12:02:45.932 Tunnel: No
. 2013-05-29 12:02:45.940 Transfer Protocol: FTP
. 2013-05-29 12:02:45.948 Ping type: C, Ping interval: 30 sec; Timeout: 15 sec
. 2013-05-29 12:02:45.956 Proxy: none
. 2013-05-29 12:02:45.964 FTP: FTPS: Explicit TLS; Passive: Yes [Force IP: A]
. 2013-05-29 12:02:45.972 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2013-05-29 12:02:45.980 Cache directory changes: Yes, Permanent: Yes
. 2013-05-29 12:02:45.988 DST mode: 1
. 2013-05-29 12:02:45.996 --------------------------------------------------------------------------
. 2013-05-29 12:02:46.004 Password prompt (no password provided or last login attempt failed)
. 2013-05-29 12:02:49.850 Connecting to ftp.dir.gov.bc.ca ...
. 2013-05-29 12:02:49.955 Connected with ftp.dir.gov.bc.ca, negotiating SSL connection...
< 2013-05-29 12:02:49.988 220 pearl.bcsc.gov.bc.ca FTP server (Version wu-2.7.0-11.91.2.3.1) ready.
> 2013-05-29 12:02:49.996 AUTH TLS
< 2013-05-29 12:02:50.004 234 AUTH TLS OK.
. 2013-05-29 12:02:50.420 Asking user:
. 2013-05-29 12:02:50.428 The server's certificate is not known. You have no guarantee that the server is the computer you think it is. Server's certificate details follow:
. 2013-05-29 12:02:50.436
. 2013-05-29 12:02:50.442 Issuer:
. 2013-05-29 12:02:50.450 - Organization: Entrust, Inc., (c) 2009 Entrust, Inc., Entrust Certification Authority - L1C
. 2013-05-29 12:02:50.458 - Location: US
. 2013-05-29 12:02:50.466
. 2013-05-29 12:02:50.472 Subject:
. 2013-05-29 12:02:50.480 - Organization: Government of the Province of British Columbia, ftp.dir.gov.bc.ca
. 2013-05-29 12:02:50.488 - Location: CA, British Columbia, Victoria
. 2013-05-29 12:02:50.496
. 2013-05-29 12:02:50.502 Valid: 2013-04-10 9:20:49 PM - 2014-05-01 12:20:55 AM
. 2013-05-29 12:02:50.510
. 2013-05-29 12:02:50.516 Fingerprint (SHA1): 2d:76:df:6e:cc:05:f5:cb:7e:42:82:69:99:5a:7c:75:44:75:e8:04
. 2013-05-29 12:02:50.524
. 2013-05-29 12:02:50.530 Summary: Unable to get local issuer certificate. The error occured at a depth of 1 in the certificate chain.
. 2013-05-29 12:02:50.538
. 2013-05-29 12:02:50.544 If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.
. 2013-05-29 12:02:50.552
. 2013-05-29 12:02:50.558 Continue connecting and store the certificate? ()
. 2013-05-29 12:02:52.670 Peer certificate rejected
. 2013-05-29 12:02:52.679 Disconnected from server
. 2013-05-29 12:02:52.687 Connection failed.
. 2013-05-29 12:02:52.697 Attempt to close connection due to fatal exception:
* 2013-05-29 12:02:52.705 (EAccessViolation) EAccessViolation
Any hints would be appeciated.
thanks,
Jonathan
However, when I export my session to a .ini file and run in batch mode (with "option batch off" to allow the cert to be accepted), it does not allow me to accept the cert. Oddly, the cert warning message comes up twice, and the command line session hangs after I hit "Y" to accept the cert. My "Y" keystroke seems to have been read, as I get "Yes" echoed back on the second prompt. Not sure why this is happening, as accepting the cert on the command line used to work fine (with no double prompt). Note that if I open the connection and specify the -certificate switch with the certificate fingerprint, it works fine in batch mode.
Here is my command invokation:
"C:\Program Files\WinSCP\winscp" /script=test_transfer.txt /ini=WinSCP.ini /log=winscp.log
Here is the script file (test_transfer.txt):
option batch off
option confirm off
open jbtestTLS-ftp.dir.gov.bc.ca
put somedata.txt
close
exit
Here is the output of the command line console:
H:\WinSCP_testing>"C:\Program Files\WinSCP\winscp" /script=test_transfer.txt /in
i=WinSCP.ini /log=winscp.log
batch off
confirm off
Prompting for credentials...
Password:
Connecting to ftp.dir.gov.bc.ca ...
Connected with ftp.dir.gov.bc.ca, negotiating SSL connection...
The server's certificate is not known. You have no guarantee that the server is
the computer you think it is. Server's certificate details follow:
Issuer:
- Organization: Entrust, Inc., (c) 2009 Entrust, Inc., Entrust Certification Aut
hority - L1C
- Location: US
Subject:
- Organization: Government of the Province of British Columbia, ftp.dir.gov.bc.c
a
- Location: CA, British Columbia, Victoria
Valid: 2013-04-10 9:20:49 PM - 2014-05-01 12:20:55 AM
Fingerprint (SHA1): 2d:76:df:6e:cc:05:f5:cb:7e:42:82:69:99:5a:7c:75:44:75:e8:04
Summary: Unable to get local issuer certificate. The error occured at a depth of
1 in the certificate chain.
If you trust this certificate, press Yes. To connect without storing certificate
, press No. To abandon the connection press Cancel.
Continue connecting and store the certificate?
(Y)es, (N)o, C(a)ncel, (C)opy Key:
(Y)es, (N)o, C(a)ncel, (C)opy Key: Yes
Here is the output of the winscp.log file:
. 2013-05-29 12:02:45.853 --------------------------------------------------------------------------
. 2013-05-29 12:02:45.861 WinSCP Version 4.4.0 (Build 1904) (OS 6.0.6002 Service Pack 2)
. 2013-05-29 12:02:45.875 Configuration: H:\WinSCP_testing\WinSCP.ini
. 2013-05-29 12:02:45.883 Local account: IDIR\jborrows
. 2013-05-29 12:02:45.892 Login time: Wednesday, May 29, 2013 12:02:45 PM
. 2013-05-29 12:02:45.900 --------------------------------------------------------------------------
. 2013-05-29 12:02:45.908 Session name: jbtestTLS-ftp.dir.gov.bc.ca (Stored session)
. 2013-05-29 12:02:45.916 Host name: ftp.dir.gov.bc.ca (Port: 21)
. 2013-05-29 12:02:45.924 User name: jborrows (Password: No, Key file: No)
. 2013-05-29 12:02:45.932 Tunnel: No
. 2013-05-29 12:02:45.940 Transfer Protocol: FTP
. 2013-05-29 12:02:45.948 Ping type: C, Ping interval: 30 sec; Timeout: 15 sec
. 2013-05-29 12:02:45.956 Proxy: none
. 2013-05-29 12:02:45.964 FTP: FTPS: Explicit TLS; Passive: Yes [Force IP: A]
. 2013-05-29 12:02:45.972 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2013-05-29 12:02:45.980 Cache directory changes: Yes, Permanent: Yes
. 2013-05-29 12:02:45.988 DST mode: 1
. 2013-05-29 12:02:45.996 --------------------------------------------------------------------------
. 2013-05-29 12:02:46.004 Password prompt (no password provided or last login attempt failed)
. 2013-05-29 12:02:49.850 Connecting to ftp.dir.gov.bc.ca ...
. 2013-05-29 12:02:49.955 Connected with ftp.dir.gov.bc.ca, negotiating SSL connection...
< 2013-05-29 12:02:49.988 220 pearl.bcsc.gov.bc.ca FTP server (Version wu-2.7.0-11.91.2.3.1) ready.
> 2013-05-29 12:02:49.996 AUTH TLS
< 2013-05-29 12:02:50.004 234 AUTH TLS OK.
. 2013-05-29 12:02:50.420 Asking user:
. 2013-05-29 12:02:50.428 The server's certificate is not known. You have no guarantee that the server is the computer you think it is. Server's certificate details follow:
. 2013-05-29 12:02:50.436
. 2013-05-29 12:02:50.442 Issuer:
. 2013-05-29 12:02:50.450 - Organization: Entrust, Inc., (c) 2009 Entrust, Inc., Entrust Certification Authority - L1C
. 2013-05-29 12:02:50.458 - Location: US
. 2013-05-29 12:02:50.466
. 2013-05-29 12:02:50.472 Subject:
. 2013-05-29 12:02:50.480 - Organization: Government of the Province of British Columbia, ftp.dir.gov.bc.ca
. 2013-05-29 12:02:50.488 - Location: CA, British Columbia, Victoria
. 2013-05-29 12:02:50.496
. 2013-05-29 12:02:50.502 Valid: 2013-04-10 9:20:49 PM - 2014-05-01 12:20:55 AM
. 2013-05-29 12:02:50.510
. 2013-05-29 12:02:50.516 Fingerprint (SHA1): 2d:76:df:6e:cc:05:f5:cb:7e:42:82:69:99:5a:7c:75:44:75:e8:04
. 2013-05-29 12:02:50.524
. 2013-05-29 12:02:50.530 Summary: Unable to get local issuer certificate. The error occured at a depth of 1 in the certificate chain.
. 2013-05-29 12:02:50.538
. 2013-05-29 12:02:50.544 If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.
. 2013-05-29 12:02:50.552
. 2013-05-29 12:02:50.558 Continue connecting and store the certificate? ()
. 2013-05-29 12:02:52.670 Peer certificate rejected
. 2013-05-29 12:02:52.679 Disconnected from server
. 2013-05-29 12:02:52.687 Connection failed.
. 2013-05-29 12:02:52.697 Attempt to close connection due to fatal exception:
* 2013-05-29 12:02:52.705 (EAccessViolation) EAccessViolation
Any hints would be appeciated.
thanks,
Jonathan