Powershell unable to get TlsHostCertificateFingerprint in correct format

Advertisement

samellinger
Joined:
Posts:
5

Powershell unable to get TlsHostCertificateFingerprint in correct format

I'm working to automate a csv upload to a external service that we subscribe to. I'm running into an issue with the Tls host certificate. Here's the code snippet and what I've tried
$HostKey = "ssh-rsa 2048 78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68"
New-WinSCPSession ED -credential $Username -ftpMode Active -FtpSecure ExplicitTls -HostName $FTPHost -PortNumber $Port -Protocol $Protocol -TlsHostCertificateFingerprint $HostKey -SessionLogPath $WinSCPLog
When I run that I receive
New-WinSCPSession : Exception setting "TlsHostCertificateFingerprint": "TLS host certificate fingerprint "ssh-rsa 2048 78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78" does not
match pattern /([0-9a-f]{2}:){19}[0-9a-f]{2}(;([0-9a-f]{2}:){19}[0-9a-f]{2})*/"
It appears that the key is matching the correct pattern but ssh-rsa 2048 does not. Ok, so I changed the variable to
$HostKey = "78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68" and received the following result.
New-WinSCPSession : Exception setting "SshHostKeyFingerprint": "SSH host key fingerprint "DiscoveryED" does not match pattern /((ssh-rsa|ssh-dss)( |-))?(\d+
)?([0-9a-f]{2}(:|-)){15}[0-9a-f]{2}(;((ssh-rsa|ssh-dss)( |-))?(\d+ )?([0-9a-f]{2}(:|-)){15}[0-9a-f]{2})*/"
I then tried shortening the key length as specified in that regex to "ssh-rsa 2048 78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68". However, I received the following error again
New-WinSCPSession : Exception setting "TlsHostCertificateFingerprint": "TLS host certificate fingerprint "ssh-rsa 2048 78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68" does not match
pattern /([0-9a-f]{2}:){19}[0-9a-f]{2}(;([0-9a-f]{2}:){19}[0-9a-f]{2})*/"
Can someone help me understand where I am going wrong in formatting this fingerprint?

Reply with quote

Advertisement

samellinger
Joined:
Posts:
5

I got that key from Session>Server and protocol information. Here's the output from that.
Remote system = UNIX Type: L8
File transfer protocol = FTP
Cryptographic protocol = TLS/SSL Explicit encryption, TLSv1.2
Encryption algorithm = TLSv1/SSLv3: AES256-GCM-SHA384, 2048 bit RSA
Compression = No
------------------------------------------------------------
Certificate fingerprint
78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78
That's why I was a bit confused, I'm trying to use FTP over TLS not SFTP over SSH.

Reply with quote

martin
Site Admin
martin avatar

So use 78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78 as is for TlsHostCertificateFingerprint, and do to try to add some irrelevant prefix.

Reply with quote

samellinger
Joined:
Posts:
5

After reading the error messages a bit deeper I realized that it is accepting the TlsHostCertificateFingerprint in its current format, but complaining about not having SshHostKeyFingerprint. It appears that no matter what I do, even though the protocol is set to FTP and FTPSecure is set to ExplicitTLS it still expects SshHostKeyFingerprint no matter what. I'm not sure if that is an error with the commandlets but I'm unable to complete the command without it expecting SSH information for my FTPS connection.

Instead of using the Powershell wrapper I resorted to using the .Net assembly which is completing my connection successfully.

Reply with quote

Advertisement

samellinger
Joined:
Posts:
5

Sure, here is the code that is working correctly:
$sessionOptions = New-Object WinSCP.SessionOptions
$sessionOptions.Protocol = [WinSCP.Protocol]::ftp
$sessionOptions.HostName = "host.com"
$sessionOptions.UserName = "Username"
$sessionOptions.Password = 'Password'
$sessionOptions.TlsHostCertificateFingerprint = "78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78"
$sessionOptions.FtpSecure = [WinSCP.FtpSecure]::Explicit
$session = New-Object WinSCP.Session
Here is the powershell commandlet that did not work:
$FTPHost = "host.com"
$Port = "21"
$Protocol = "FTP"
$Username = "Username"
$Password = convertto-securestring -string 'Password' -AsPlainText -Force
$credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
$HostKey = "78:b7:ed:6a:2a:6d:06:61:ae:7d:f6:e5:75:7c:0d:68:cc:bb:37:78"
 
New-WinSCPSession DSession -credential $Credential -ftpMode Active -FtpSecure ExplicitTls -HostName $FTPHost -PortNumber $Port -Protocol $Protocol -TlsHostCertificateFingerprint $HostKey

Reply with quote

dotps1
Contributor
Joined:
Posts:
20
Location:
United States

Please move this to GitHub, this is not an issue with WinSCP Directly, but possibly and issue with the WinSCP PowerShell Module. You can find it here: https://github.com/tomohulk/WinSCP/issues.

But at first glance, what is DSession? There are no position supported params in the New-WinSCPSession cmdlet, everything is by name only (as it is with anything I write, I don't like unnamed params). So DSession i have a feeling is throwing everything off, it basically doesn't now what that value is for.

*Edit*
I also see in your first post you have
New-WinSCPSession ED -.........
again, not sure what ED is, but this make me even more sure about the issue being a typo.

hope that helps.
*End Edit*

Reply with quote

samellinger
Joined:
Posts:
5

Sorry for the confusion with different names, that's what I get for trying to sanitize code at different times.

You are correct though, I had a value for the name of session, but looking back there is no name included in New-WinSCPSession. I thought that was part of one of the examples but looking over the examples and syntax there is not. Removing that name corrects the issue I was having with the command.

Reply with quote

Advertisement

Advertisement

You can post new topics in this forum