Certificate not authenticated against certification authority

Advertisement

lukas
Joined:
Posts:
4

Certificate not authenticated against certification authority

Hello Martin,
we are using .NET assembly in our software.
The end FTPS server uses certificate, which is signed by certification authority.
The certification authority certificate is stored in "Trusted Root Certification Authorities" at computer, which is communicating with FTP server.

If we specify certificate fingerprint of the FTP server in TlsHostCertificateFingerprint, everything works.
But if we don't, no transfer is proceeded and we get "Connection failed." error message.

We want the certificate to be authenticated against the certification authority, so at every change of end FTP certificate we wouldn't need to change the certificate fingerprint of FTP server in our program settings.


More details:

WinSCP version: 5.7.5.5665
Windows version: Windows Server 2012 Standard 64bit
Protocol: FTPS, TLS, FTPSecure.Explicit
Using: .NET assembly

Error message in log:
Connection failed.

Stack Trace:
at WinSCP.SessionLogReader.Read(LogReadFlags flags)
at WinSCP.SessionElementLogReader.Read(LogReadFlags flags)
at WinSCP.CustomLogReader.WaitForNonEmptyElementAndCreateLogReader(String localName, LogReadFlags flags)
at WinSCP.Session.Open(SessionOptions sessionOptions)
at SPCopyToFTP.CopyFtp.TransferFilesToFtp()
at SPCopyToFTP.Program.Main(String[] args)

Thanks for the reply.

Lukas

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,441
Location:
Prague, Czechia

Re: Certificate not authenticated against certification authority

Please attach a full session log file showing the problem (using the latest version of WinSCP).

To generate log file, set Session.SessionLogPath. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.

Reply with quote

lukas
Joined:
Posts:
4

Re: Certificate not authenticated against certification authority

Hi, thank you for the reply.

I am posting the session log here, because when trying to add it as an attachment (clicking Browse... button), I got an error, no matter what browser I used. (IE, chrome and FF).


. 2015-09-11 14:56:49.960 --------------------------------------------------------------------------
. 2015-09-11 14:56:49.960 WinSCP Version 5.7.5 (Build 5665) (OS 6.2.9200 - Windows Server 2012 Standard)
. 2015-09-11 14:56:49.960 Configuration: nul
. 2015-09-11 14:56:49.960 Log level: Normal
. 2015-09-11 14:56:49.960 Local account: ABC\admin
. 2015-09-11 14:56:49.960 Working directory: D:\Applications\FTPApp
. 2015-09-11 14:56:49.960 Process ID: 6276
. 2015-09-11 14:56:49.960 Command-line: "D:\Applications\FTPApp\winscp.exe" /xmllog="C:\Users\Admin\AppData\Local\Temp\wscp2C54.0149C1E6.tmp" /xmlgroups /nointeractiveinput /dotnet=575 /ini=nul /log="SessionLog.log" /console /consoleinstance=_11348_60281111_960
. 2015-09-11 14:56:49.960 Time zone: Current: GMT+2, Standard: GMT+1 (Central Europe Standard Time), DST: GMT+2 (Central Europe Daylight Time), DST Start: 29. 3. 2015, DST End: 25. 10. 2015
. 2015-09-11 14:56:49.960 Login time: 11. září 2015 14:56:49
. 2015-09-11 14:56:49.960 --------------------------------------------------------------------------
. 2015-09-11 14:56:49.960 Script: Retrospectively logging previous script records:
> 2015-09-11 14:56:49.960 Script: option batch on
< 2015-09-11 14:56:49.960 Script: batch on
< 2015-09-11 14:56:49.960 Script: reconnecttime 120
> 2015-09-11 14:56:49.960 Script: option confirm off
< 2015-09-11 14:56:49.960 Script: confirm off
> 2015-09-11 14:56:49.960 Script: option reconnecttime 120
< 2015-09-11 14:56:49.960 Script: reconnecttime 120
> 2015-09-11 14:56:49.960 Script: open ftp://abc:***@10.xx.xx.xx -explicit -passive=1 -timeout=15
. 2015-09-11 14:56:49.960 --------------------------------------------------------------------------
. 2015-09-11 14:56:49.960 Session name: abc@10.xx.xx.xx (Ad-Hoc site)
. 2015-09-11 14:56:49.960 Host name: 10.xx.xx.xx (Port: 21)
. 2015-09-11 14:56:49.960 User name: userName (Password: Yes, Key file: No)
. 2015-09-11 14:56:49.960 Transfer Protocol: FTP
. 2015-09-11 14:56:49.960 Ping type: C, Ping interval: 30 sec; Timeout: 15 sec
. 2015-09-11 14:56:49.960 Disable Nagle: No
. 2015-09-11 14:56:49.960 Proxy: none
. 2015-09-11 14:56:49.960 Send buffer: 262144
. 2015-09-11 14:56:49.976 UTF: 2
. 2015-09-11 14:56:49.976 FTP: FTPS: Explicit TLS; Passive: Yes [Force IP: A]; MLSD: A [List all: A]
. 2015-09-11 14:56:49.976 Session reuse: Yes
. 2015-09-11 14:56:49.976 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2015-09-11 14:56:49.976 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2015-09-11 14:56:49.976 Cache directory changes: Yes, Permanent: Yes
. 2015-09-11 14:56:49.976 Timezone offset: 0h 0m
. 2015-09-11 14:56:49.976 --------------------------------------------------------------------------
. 2015-09-11 14:56:49.976 Connecting to 10.xx.xx.xx ...
. 2015-09-11 14:56:49.976 Connected with 10.xx.xx.xx, negotiating TLS connection...
< 2015-09-11 14:56:49.991 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.xx.xx.xx]
> 2015-09-11 14:56:49.991 AUTH TLS
< 2015-09-11 14:56:49.991 234 AUTH TLS successful
. 2015-09-11 14:56:50.147 Verifying certificate for "Company Name" with fingerprint 1c:4a:81:d4:ac:8c:60:f7:0c:3b:d3:21:63:8e:a3:85:b9:03:96:4c and 20 failures
. 2015-09-11 14:56:50.257 Certificate verified against Windows certificate store
. 2015-09-11 14:56:50.257 Asking user:
. 2015-09-11 14:56:50.257 **The server's certificate is not known. You have no guarantee that the server is the computer you think it is.**
. 2015-09-11 14:56:50.257
. 2015-09-11 14:56:50.257 Server's certificate details follow:
. 2015-09-11 14:56:50.257
. 2015-09-11 14:56:50.257 Issuer:
. 2015-09-11 14:56:50.257 - Organization: Company Name, CA Auxiliary, aux@aa.cz
. 2015-09-11 14:56:50.257 - Location: CZ, Czech Republic, Mesto
. 2015-09-11 14:56:50.257
. 2015-09-11 14:56:50.257 Subject:
. 2015-09-11 14:56:50.257 - Organization: Company Name, Provoz aplikaci, yyy.serverspolecnosti.cz
. 2015-09-11 14:56:50.257 - Location: CZ, Czech Republic, Mesto
. 2015-09-11 14:56:50.257
. 2015-09-11 14:56:50.257 Valid: 8. 6. 2015 9:35:50 - 10. 7. 2017 9:35:50
. 2015-09-11 14:56:50.257
. 2015-09-11 14:56:50.257 Fingerprint (SHA-1): 1c:4a:81:d4:ac:8c:60:f7:0c:3b:d3:21:63:8e:a3:85:b9:03:96:4c
. 2015-09-11 14:56:50.257
. 2015-09-11 14:56:50.257 Summary: Certificate was not issued for this server. You might be connecting to a server that is pretending to be "10.xx.xx.xx".
. 2015-09-11 14:56:50.257
. 2015-09-11 14:56:50.257 If you trust this certificate, press Yes. To connect without storing certificate, press No. To abandon the connection press Cancel.
. 2015-09-11 14:56:50.257
. 2015-09-11 14:56:50.257 Continue connecting and store the certificate? ()
. 2015-09-11 14:56:50.257 Peer certificate rejected
. 2015-09-11 14:56:50.257 Disconnected from server
. 2015-09-11 14:56:50.257 Connection failed.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,441
Location:
Prague, Czechia

Re: Certificate not authenticated against certification authority

A you can see the certificate was verified against the Windows certificate store:

. 2015-09-11 14:56:50.257 Certificate verified against Windows certificate store

But as you use an IP address instead of a hostname to connect to the server, WinSCP was not able to verify that the certificate was issued for the server:

. 2015-09-11 14:56:50.257 Summary: Certificate was not issued for this server. You might be connecting to a server that is pretending to be "10.xx.xx.xx".

I admit that the message does not reflect that you used the IP address, I'll improve that:
https://winscp.net/tracker/1359

Reply with quote

lukas
Joined:
Posts:
4

Re: Certificate not authenticated against certification authority

Thank you so much, that was it!

The FTP server certificate couldn't be verified against the certification authority, because of connecting to IP number.
When we switched the IP with hostname, the certificate was verified and connection was successful (without specifying the certificate fingerprint in FTP session).

Have a good day,
Lukas

Reply with quote

Advertisement

You can post new topics in this forum